Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Host state change

rmorlen
Splunk Employee
Splunk Employee
‎06-11-2013 07:15 AM

We have 4 servers running. 2 active and 2 as offline. Doing a search similar to "hostname="MyServers*" sourcetype="status" serverState="*" | stats count by serverState" will give me a list of the servers and their current state (either active or offline). We want to be able to alert when any of the servers change state (go from active to offline or offline to active). Any suggestions on how to do this? I looked at Tracking Hosts Through a State Diagram but it didn't make sense to me.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎06-11-2013 01:55 PM

If the hosts will log their state in regular intervals you could schedule a search that runs once every interval over a span of 2 intervalls and do something like:

basesearch serverState="*" | stats dc(serverState) as states by host | where states>1

This would give you a list of servers that have changed their state if you throw in a latest(serverState) you will also get the state they are in now.

If the events are not logged at regular intervalls you can still detect state changes if you search over big enough time span.
Using a search to update a lookup table or a summary index that keeps trace of the last state and a second search to compare the lookup table/summary index to the current state is probably the way to go (this is what kristian suggests)

View solution in original post

Reply
Solved! Jump to solution
Solution

chris
Motivator
‎06-11-2013 01:55 PM

If the hosts will log their state in regular intervals you could schedule a search that runs once every interval over a span of 2 intervalls and do something like:

basesearch serverState="*" | stats dc(serverState) as states by host | where states>1

This would give you a list of servers that have changed their state if you throw in a latest(serverState) you will also get the state they are in now.

If the events are not logged at regular intervalls you can still detect state changes if you search over big enough time span.
Using a search to update a lookup table or a summary index that keeps trace of the last state and a second search to compare the lookup table/summary index to the current state is probably the way to go (this is what kristian suggests)

Reply
Solved! Jump to solution

rmorlen
Splunk Employee
Splunk Employee
‎06-12-2013 05:16 AM

Yep. This worked. Thanks!

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎06-11-2013 07:56 AM

Perhaps you should have a look at this - using a lookup-table to maintain state (and detect changes)

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

/K

0 Karma
Reply
Solved! Jump to solution

rmorlen
Splunk Employee
Splunk Employee
‎06-11-2013 09:07 AM

Whew. Great article. I still can't get when a server changes from active to offline. (so a server was online a minute ago and it is now offline). I can get a list of servers that are either active or offline.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...