Splunk Dev

Create search shows hosts status from Down to up


We need to send alert shows if hosts status change from down to up please help me how we can do this

Tags (1)
0 Karma

Esteemed Legend

Generally, like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=AndSourcetypeToo
| dedup host status
| search status="up"

Save this as an alert with When event count and Is greater than 0

0 Karma


Provide examples from the events/logs that you are planning to leverage.

Refer to the following answer for several ways you can do it including one where you can check for Last Phone Home time for each host using REST service call: https://answers.splunk.com/answers/525926/how-do-we-determine-whether-a-forwarder-phoned-hom.html

| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...