Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

command to identify the downtime of splunk component

vinitpathri
Path Finder
‎06-18-2020 04:34 AM

i want to find out the time for which a host was down , please share the query to check the same.

 

Thanks in advance

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-18-2020 06:30 AM

Hi @vinitpathri ,

it's a best practice that all the Splunk componentes send their logs to Indexers, so if you run a search on Splunk _internal logs, you can have the downtime of a Splunk component.

you could create a lookup (called e.g. perimeter.csv) containing all the servers (in the column host) of your Splunk infrastructure to monitor and run a search like this:

| metasearch index=_internal [ | inputlookup perimeter.csv | fields host ]
| timechart span=10m count BY host
| where count=0
| delta _time AS diff
| where diff=600
| stats sum(diff) AS total BY host

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...