Solved: New Forwarder Added

amN0P · ‎07-12-2011

Is there a way of triggering an automated email alert whenever a NEW host(forwarder) starts sending logs to the Splunk Server.

amN0P · ‎08-12-2011

Thanks Vlad.

One more way of doing this..

Above search returns new forwarders added in the last 5 days.

View solution in original post

amN0P · ‎08-12-2011

Thanks Vlad.

One more way of doing this..

Above search returns new forwarders added in the last 5 days.

reedmohn · ‎12-17-2015

Doesn't this show all forwarders that have logged in the past 5 days?

Vladimir · ‎07-13-2011

Maybe it's not a right way but I used some similar query for alarm to check if I "lost" some hosts

index=my_index host earliest=-5m latest=now | dedup host | eval StatusBefore=1 | join type=left host [search index=my_index host earliest=-65m latest=-60m  | dedup host | eval StatusNow=1 ] | eval Status=if(StatusBefore=StatusNow,1,0) | table host, Status | where Status=0

This query do:

check available hosts for last 5 minutes
check available hosts for 5 minutes - 1 hour
compare two results (status = 1 - OK, status = 0 - new host)

Depending on your data polling interval you can set your own periods.

New Forwarder Added

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation