one host logs are not coming in to the splunk that host we want display as a Down
This has been solved many times including:
Meta Woot!: https://splunkbase.splunk.com/app/2949/ TrackMe: https://splunkbase.splunk.com/app/4621/, Broken Hosts App for Splunk: https://splunkbase.splunk.com/app/3247/ Alerts for Splunk Admins ("ForwarderLevel" alerts): https://splunkbase.splunk.com/app/3796/ Splunk Security Essentials(https://docs.splunksecurityessentials.com/features/sse_data_availability/): https://splunkbase.splunk.com/app/3435/ Monitoring Console: https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring Deployment Server: https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...
| tstats count where host="A" OR host="B" by host | append [|makeresults | eval host=split("A,B",",") | mvexpand host | fields - _*] | stats values(count) as status by host | fillnull value=Down | rex field=status mode=sed "s/\d+/Up/g"
Sounds like you may need a lookup so you can report on what's missing.
Let's say you have a csv named
important_hosts.csv with a single field named
Now you can do something like this:
index=ndx sourcetype=srctp (host="host_1" OR host="host_2") | stats count by host | append [ | inputlookup important_hosts.csv ] | fillnull | stats max(count) as count by host | eval status=if(count>0,"up","down") | fields - count
Hi I tried this query but not showing the down host
And it is metric log query I searched with system.system_up_time metric log
Run the given query for particular time range or real-time and get count of events by host.
If count is greater than 0 than host is UP, else DOWN.
host=host_1 OR host=host_2 | stats count by host | eval status = if(count>0, "Up", "Down") | table host, status
accept & up-vote the answer if it helps
If host1 isn't sending data,
stats isn't going to find it