Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- New Forwarder Added
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way of triggering an automated email alert whenever a NEW host(forwarder) starts sending logs to the Splunk Server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Vlad.
One more way of doing this..
| metadata index=index* OR index=main type=hosts | eval age = now()-lastTime | where age < 432000| sort age d | convert ctime(lastTime) | fields age,host,lastTime
Above search returns new forwarders added in the last 5 days.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Vlad.
One more way of doing this..
| metadata index=index* OR index=main type=hosts | eval age = now()-lastTime | where age < 432000| sort age d | convert ctime(lastTime) | fields age,host,lastTime
Above search returns new forwarders added in the last 5 days.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Doesn't this show all forwarders that have logged in the past 5 days?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe it's not a right way but I used some similar query for alarm to check if I "lost" some hosts
index=my_index host earliest=-5m latest=now | dedup host | eval StatusBefore=1 | join type=left host [search index=my_index host earliest=-65m latest=-60m | dedup host | eval StatusNow=1 ] | eval Status=if(StatusBefore=StatusNow,1,0) | table host, Status | where Status=0
This query do:
- check available hosts for last 5 minutes
- check available hosts for 5 minutes - 1 hour
- compare two results (status = 1 - OK, status = 0 - new host)
Depending on your data polling interval you can set your own periods.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
