Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

monitor to check whether the logging (receiving) is working or not !!!

basilboon
New Member
‎02-07-2013 05:48 AM

Hi Splunk Team,

First of all you got a great app !! Thanks for that !!

My master Splunk has setup correctly and forwards logs to another active splunk. Yesterday when checked the log receiving has been stopped because of the disk space in the server. It got fixed after increasing the disk space.

Now the thing is, we are trying to setup a monitor using our tool (ICINGA) just to check whether the log receiving is up to date.

Is there any command to show whether the logs are up to date ?

Let me know if you need more information.

Regards,
Basil

Tags (2)
0 Karma
Reply

basilboon
New Member
‎02-08-2013 12:06 AM

Hi Daniels,

Thanks for your reply.

The exact thing I want is to write a shell script (bash) to monitor whether the logging is working properly. The script will run in every five min and get the data (some how via shell) and send the mail to a distribution list, if only the logging is not working for the past one hour or so.

Just wanna know if there is any commands to identify this from back end (server console).

Regards,
Basil

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎02-07-2013 06:31 AM

Check out this previous Splunkbase answer. You can create an alert based on that search. You'll just need to adjust the time to be 'age > somenumber' in seconds. The example below is checking to see if there are any hosts that haven't sent events in the last two days. If the search comes up empty it means you are ok. If you get a values you can alert on them to let you know which hosts might be having issues sending data to Splunk.

http://splunk-base.splunk.com/answers/3181/how-do-i-alert-when-a-host-stops-sending-data

| metadata index=main type=hosts | eval age = now()-lastTime | where age > (2*86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime

0 Karma
Reply

basilboon
New Member
‎02-08-2013 12:06 AM

Hi Daniels,

Thanks for your reply.

The exact thing I want is to write a shell script (bash) to monitor whether the logging is working properly. The script will run in every five min and get the data (some how via shell) and send the mail to a distribution list, if only the logging is not working for the past one hour or so.

Just wanna know if there is any commands to identify this from back end (server console).

Regards,
Basil

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...