Monitoring Splunk

How to create an alert for if any deployment or UF is stops sending data to splunk?

sekhar463
Path Finder

hai all,

we have multiple forwarders installed nearly 1000above.

we want to know if any UF stops sending data to splunk due to splunk service not running.

how can i create dashboard to check if UF is not sending or client is not connected.

 

thanks 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sekhar463,

as @richgalloway said, in Monitoring Console you have an alert and a dashboard answering to your question.

If they don't like you you could create your own hosts list in a lookup (called e.g. perimeter.csv) and run  searches like this:

for the alert

| metasearch _internal
| eval host=lower(host)
| stats count BY host
| append [ 
   | inputlookup perimeter.csv
   | eval host=lower(host), count=0
   | fields host count ]
| stats sum(count) AS total BY host
| where total=0

for the dashboard:

| metasearch _internal
| eval host=lower(host)
| stats count BY host
| eval kind="In search"
| append [ 
   | inputlookup perimeter.csv
   | eval host=lower(host), count=0, kind="In lookup"
   | fields host count kind ]
| stats sum(count) AS total dc(kind) AS kind_count BY host
| eval status=case(total=0,"Missing",kind_count=2,"Present",kind_count=1 AND total>0,"New host")
| table host status

Ciao.

Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The Monitoring Console has such a dashboard.  In the MC, go to Settings->Forwarder Monitoring Setup.  Once the setup is complete,   Then go to Forwarders->Forwarders:Deployment to see the dashboard.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...