Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use Deployment Monitor or other tools to alert if a host's event count > 0 in the last 24 hours, but no events in the last hour?

dolejh76
Communicator
‎04-13-2015 09:54 AM

Had a server that rebooted this weekend and the Universal Forwarder Service did not start. I want to get alerts about this, so after some digging - it looks like deployment monitor can do this.

I have set up a 15 min cron job to look for

dm_missing_forwarders

But now I am getting emails on a server that we shut down temporarily.

Can anyone tell me - what the dm_missing_forwarders is looking for - it states "A missing forwarder has connected at some point in the past, but has not connected in the last 24 hours"

Does "at some point" mean any time at all? How do we exclude servers from this list?

If there are better suggestions on how to monitor services (within splunk) please let me know. I have some other monitoring tools, but don't want to load agents on my servers if I can use splunk.

Basically all I want is...

If a host has sent events in the last 24 hours, but you have nothing from it in the last hour, send an alert.

If (event count from * host in timespan 24h > 0) and (event count from * host in timespan 1h <0) then send alert

If my logic is correct, a search like this would be if the host has been active in the last 24 hours, but in the last hour you have received nothing - then send email.

Thanks for your help

0 Karma
Reply

woodcock
Esteemed Legend
‎05-23-2015 09:54 PM

Try scheduling this to run periodically (like once every hour):

index=* | dedup host | stats count first(_time) AS lastTime by host | eval age=now()-_lastTime | where age>43200 AND age<3600
0 Karma
Reply

dolejh76
Communicator
‎04-13-2015 10:06 AM

Looks like I also get reports if no results are found... this could get annoying how I have it set up right now.

The scheduled report 'DM missing forwarders' has run.

No results found.

0 Karma
Reply

rmsit
Communicator
‎04-19-2015 09:12 AM

I am having the same issue with the Deployment Monitor app. Search results for forwarders not connecting in the last 24 hours does not appear to work. What version of Spunk are you running? I believe this may have started after upgrading to version 6.2.

0 Karma
Reply

dolejh76
Communicator
‎04-14-2015 06:33 AM

Anyone? Please / thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...