Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

command to identify the downtime of splunk component

vinitpathri
Path Finder
‎06-18-2020 04:34 AM

i want to find out the time for which a host was down , please share the query to check the same.

 

Thanks in advance

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-18-2020 06:30 AM

Hi @vinitpathri ,

it's a best practice that all the Splunk componentes send their logs to Indexers, so if you run a search on Splunk _internal logs, you can have the downtime of a Splunk component.

you could create a lookup (called e.g. perimeter.csv) containing all the servers (in the column host) of your Splunk infrastructure to monitor and run a search like this:

| metasearch index=_internal [ | inputlookup perimeter.csv | fields host ]
| timechart span=10m count BY host
| where count=0
| delta _time AS diff
| where diff=600
| stats sum(diff) AS total BY host

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...