Hello everyone,
I am a Rookie, I use splunk for linux,I tried running pingstatus command on splunk
But I don’t know if it was successful, I also read Readme.txt
and configured in commands.conf and authorize.conf
Can someone answer or teach me ? or there are other methods or applications that can monitor network devices
and if package have loss 100%  then send a  alert notification 
It's best to start over
The more detailed the better
Thanks everyone
 
					
				
		
Hi @modernjameschen,
Are you using this pingstatus command from Splunkbase ? 
https://splunkbase.splunk.com/app/507/
If so I recommend moving to this as it is more up to date and supports more recent Splunk versions : 
https://splunkbase.splunk.com/app/3491/
Once you install it you can find the documentation for using it here :  https://lukemurphey.net/projects/network-tools/wiki/Using_Search_Commands
It's pretty easy to use and from there you can set up alerts to alert you when you have ping failures.
Let me know if that helps.
Cheers,
David
 
					
				
		
Splunk is not really that kind of tool.  You would be better of using a tool specifically designed for this purpose.  I can highly recommend cacti:
https://en.wikipedia.org/wiki/Cacti_(software)
HIi @woodcock 
Thanks for your response
But my job needs to use splunk to monitor the device
 
					
				
		
Hi @modernjameschen,
Are you using this pingstatus command from Splunkbase ? 
https://splunkbase.splunk.com/app/507/
If so I recommend moving to this as it is more up to date and supports more recent Splunk versions : 
https://splunkbase.splunk.com/app/3491/
Once you install it you can find the documentation for using it here :  https://lukemurphey.net/projects/network-tools/wiki/Using_Search_Commands
It's pretty easy to use and from there you can set up alerts to alert you when you have ping failures.
Let me know if that helps.
Cheers,
David
Hi  @DavidHourani ,
Thank you for your quick response
Yes,l using "pingstatus" command from Splunkbase
But I still don't understand how pingstatus works and configures
I want to know immediately the status of the ping ,Iike Destination host 、Feedback time、Packet loss rate ...
Or you suggest me to use NETWORK TOOLKIT
Which one is easier to get started
Or any idea
james,Thanks
 
					
				
		
you're welcome @modernjameschen.
Both are easy to use but Network Toolkit is supported in the more recent splunk versions, whereas pingstatus is only supported up until 6.2 (you can see that on the right side when you're on the app url for splunkbase) 
For network toolkit, if you need a tutorial, check out the link I sent you earlier : https://lukemurphey.net/projects/network-tools/wiki/Using_Search_Commands
In short, all you have to do is do a |ping on a table with host ip or domain names and youll get the ping results 
Thank @DavidHourani .
I started running ping in network toolkit
But I have a question, how can I make the setting return a Response Time every second
And how to set an alert when the ping packet is lost
Or need to configure anything else
Any ideas?
 
					
				
		
For alerts you have to create an alert or a scheduled report that will run every X amount of time and do the ping for u.
As for modifying the default behavior of the ping command you'll have to modify the scripts in the bin folder of the app.
@DavidHourani 
I already have search
[sourcetype = "ping_input" packet_loss = 100]
Saved as an alert, but the alert is not working
Alarm type: real-time
Trigger: Number of sources equals 100
Once in 1 minute
Per-Result trigger option.
And I don't know where to set the script
In splunk / etc / apps / network_tool / bin ?
Which folder?
Please help me 
19/12/05 16:29:16.000
sent=3 received=0 packet_loss=100 min_ping=NA avg_ping=NA max_ping=NA jitter=NA return_code=1 dest=192.168.0.12
host = ubuntusource = pingsourcetype = ping_input
Above is my search: [sourcetype = "ping_input" packet_loss = 100]
 
					
				
		
Hi @modernjameschen,
Is the alert created in the same app ? Could be that you don't have permissions to access the field extraction in another app.
Try changing the permissions of the network toolkit app to global and also include the index name in front of the sourcetype for the search :
index=yourindex sourcetype = "ping_input" packet_loss = 100
Hi @DavidHourani 
Yes ,I am created alert in the network toolkit app,
and I setup the permissions of the network toolkit app to global ,But I have a question, why should I create an index
Where to go to add a profile index
Which folder?
Can you give me steps
thank you very much
 
					
				
		
Sure thing, to create an index follow those steps : 
https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/Setupmultipleindexes#Create_events_indexe...
Your data is already written in an index by default somewhere (could be in index=main if you haven't configured anything). Run this search and check on the left side which index it's writting to, if it's main make sure you change it into something else  :
    sourcetype = "ping_input" packet_loss = 100
Let me know if that helps.
Cheers,
David
hi @DavidHourani 
I change my search
index = main sourcetype = "ping_input" packet_loss = 100
And also set alert
But the alert still not working
I don't know what went wrong
Is it possible to trigger a condition?
I don't know which one to choose
(Number of Results
Source of  Results
Host of Results)
Please help me
thank you very much
Alarm type: real-time
Number of Results
Trigger: Number of sources equals 100
Once in 1 minute
Per-Result trigger option.
Trigger action: send email
 
					
				
		
Try the default trigger... Number of results >0
This should trigger, alsp add as an action to trigger an alert in Splunk so u can actually see if anything happened. In case your send email function is not configured you will be able to see the alert and isolate the problem as a mailing problem
hi @DavidHourani ,
I changed the trigger condition to
Number of results >0
Also change the trigger action to
Add to Triggered Alerts list and sent email.
I can see that Triggered Alerts have events.
But it still cann't to send email
It's very confused to me
Any ideal ?
Thanks ,james
 
					
				
		
Could be that your instance isnt configured for sending emails ?
Check your general settings for the email configuration and make sure its set up:
https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/Emailnotification
hi @DavidHourani
I have configured splunk instance
But I could n’t receive EMAIL, so I checked $ SPLUNK_HOME / var / log / splunk / splunkd.log
An error message appears
12-14-2019 10:10:00.256 +0800 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/search/bin/sendemail.py "results_link=http://user:8000/app/search/@go?sid=rt_scheduler__admin__search__RMD5f497f97cb39c3595_at_1576144552_1.21" "ssname=test 2f2p error" "graceful=True" "trigger_time=1576289398" results_file="/opt/splunk/var/run/splunk/dispatch/rt_scheduler__admin__search__RMD5f497f97cb39c3595_at_1576144552_1.21/results.csv.gz" "is_stream_malert=False"':  ERROR:root:{u'myemail@mdg.com.tw': (553, '5.7.1 <splunk@user>: Sender address rejected: not owned by user Username@mdg.com.tw')} while sending mail to: myemail@mdg.com.tw
Have any ideal?
Thanks a lot
 
					
				
		
Seems like your sender email is not configured properly.. try changing it and see what it gives... Should be username@FQDN
Thanks @DavidHourani 
I changed the Mail host and Email securtiy
Then successfully send email
Mail host : smtp.gmail.com:587
Email security : Enable TLS
Can send mail with gmail account
 
					
				
		
Awesome! please upvote my useful comments and accept the answer ! 🙂
hi @DavidHourani
I met a problem
I try to create a monitoring dashboard
Save each search result as a monitoring dashboard
But i have a problem
You ca n’t add more than seven search results
I try to edit the source of the dashboard
Can increase search results but not perform
Can only perform up to seven searches
Below is my code
Any ideas
<dashboard>
  <label>Monitor device</label>
  <row>
    <panel>
      <title>2F-AP : 192.168.0.12</title>
      <single>
        <title>192.168.0.12 happne error</title>
        <search>
          <query>index = main "dest=192.168.0.12"  | chart  avg(packet_loss)</query>
          <earliest>rt-60s</earliest>
          <latest>rtnow</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>10m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0.0</option>
        <option name="rangeColors">["0x53a051","0x53a051","0xf8be34","0xf1813f","0xdc4e41","0xdc4e41"]</option>
        <option name="rangeValues">[0,26,51,76,100]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
.
.
.
 </row>
</dashboard>
Or where I can setup limit
Thanks a lot
