Reporting

Identifying when a host stops logging onto Splunk

SB
New Member
We see some hosts not reporting currently into Splunk in Oct 2021. When analyzed in its previous month's i.e. Sept 2021, those hosts were reporting to Splunk.
 
Do we have any query/method to find the exact time when these were reported last?
 
Thanks
Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

here is some apps / writings about this issue. Maybe you could utilise those if you still have events and/or internal events on your instance.

Slackbot  17:08
There are a lot of options for finding hosts or sources that stop submitting events:
Meta Woot! https://splunkbase.splunk.com/app/2949/
TrackMe https://splunkbase.splunk.com/app/4621/
Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/
Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...Some helpful posts:
https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe
https://www.duanewaddle.com/proving-a-negative/

r. Ismo

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>