Identifying when a host stops logging onto Splunk

SB · ‎10-26-2021

We see some hosts not reporting currently into Splunk in Oct 2021. When analyzed in its previous month's i.e. Sept 2021, those hosts were reporting to Splunk.

Do we have any query/method to find the exact time when these were reported last?

Thanks

isoutamo · ‎11-02-2021

Hi

here is some apps / writings about this issue. Maybe you could utilise those if you still have events and/or internal events on your instance.

Slackbot 17:08
There are a lot of options for finding hosts or sources that stop submitting events:
Meta Woot! https://splunkbase.splunk.com/app/2949/
TrackMe https://splunkbase.splunk.com/app/4621/
Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/
Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...Some helpful posts:
https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe
https://www.duanewaddle.com/proving-a-negative/

r. Ismo

Identifying when a host stops logging onto Splunk

scheduled search

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM