Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search to find when a forwarder restarted?

a212830
Champion
‎01-31-2015 07:36 AM

Hi,

Is there a search that I can run that shows when a forwarder starts, and is considered up and running? I want to create transactions - one that shows it starts and is running, and another that shows it started but isn't running (and therefore some errors may exist).

0 Karma
Reply

thomrs
Communicator
‎02-01-2015 11:30 AM

There are messages in the internal logs, _*. 

index =_*  host=<fwd name> starting

Even better is the deployment app, look for all kinds of things and is easy to setup alerts.

https://apps.splunk.com/app/1294/

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...