How to create an alert for if any deployment or UF...

sekhar463 · ‎08-16-2022

hai all,

we have multiple forwarders installed nearly 1000above.

we want to know if any UF stops sending data to splunk due to splunk service not running.

how can i create dashboard to check if UF is not sending or client is not connected.

thanks

gcusello · ‎08-17-2022

Hi @sekhar463,

as @richgalloway said, in Monitoring Console you have an alert and a dashboard answering to your question.

If they don't like you you could create your own hosts list in a lookup (called e.g. perimeter.csv) and run searches like this:

for the alert

| metasearch _internal
| eval host=lower(host)
| stats count BY host
| append [ 
   | inputlookup perimeter.csv
   | eval host=lower(host), count=0
   | fields host count ]
| stats sum(count) AS total BY host
| where total=0

for the dashboard:

| metasearch _internal
| eval host=lower(host)
| stats count BY host
| eval kind="In search"
| append [ 
   | inputlookup perimeter.csv
   | eval host=lower(host), count=0, kind="In lookup"
   | fields host count kind ]
| stats sum(count) AS total dc(kind) AS kind_count BY host
| eval status=case(total=0,"Missing",kind_count=2,"Present",kind_count=1 AND total>0,"New host")
| table host status

Ciao.

Giuseppe

richgalloway · ‎08-16-2022

The Monitoring Console has such a dashboard. In the MC, go to Settings->Forwarder Monitoring Setup. Once the setup is complete, Then go to Forwarders->Forwarders:Deployment to see the dashboard.

---
If this reply helps you, Karma would be appreciated.

How to create an alert for if any deployment or UF is stops sending data to splunk?

audit

forwarder

proactive Splunk component monitoring

splunkd

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Developer Spotlight with Guilhem Marchand

Join the Conversation