Hi there,
How would I set up a table to find out which forwarders have not phoned home in the last day ? I am currently using this REST search for other related activity:
-index=_internal group=tcpin_connections | join hostname [| rest /services/deployment/server/clients splunk_server=* | eval lastPhoneHome=tostring(now()-lastPhoneHomeTime,"duration")
Thanks!
You have to create a lookup (e.g.: Perimeter.csv) with all the servers of you perimeter (manually or with an outputlookup night batch) and use it to verify the connected forwarders, something like this:
| inputlookup Perimeter.csv | eval count=0 | eval host=upper(host) | append [ |metasearch index=_internal | eval host=upper(host)
| stats count by host ] | stats sum(count) AS Somma by host | rangemap field=Somma severe=0-0 low=1-1000000000 default=severe | table host range | sort host
using rangemap you can shot result with a graphic icon (see Dashboard Examples)
Bye.
Giuseppe
if you're satisfied of the answer, please, accept the answer.
Bye.
Giuseppe