Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to find computers which stopped sending logs

Nawab
Communicator
‎07-29-2024 03:26 AM

I have a deployment where multiple computers are sending logs to a WEF server using WEF(windows event forwarding). I tried to map ComputerName field to host name field but failed to do so.

Now I want to create an alert if any of the computer is not sending logs to splunk. how can i do so.

 

The method defined by splunk is based on index,host and sourcectype field, which will remain same for all computers in our case.

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-30-2024 12:21 AM

Hi @Nawab ,

to use computername instead host youcannot use tstats and the search is slower, so try this:

with perimeter.csv lookup

index=* 
| stats count BY sourcetype ComputerName
| append [ 
     | inputlookup perimeter.csv 
     | eval count=0 
     | fields ComputerName sourcetype count ]
| stats sum(count) AS total BY sourcetype ComputerName
| where total=0

without lookup:

index=* 
| stats count latest(_time) AS _time BY sourcetype ComputerName
| eval period=if(_time<now()-3600,"previous,"latest")
| stats 
     dc(period) AS period_count
     values(period) AS period
     BY sourcetype ComputerName
| where period_count=1 AND period="previous"

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Nawab
Communicator
‎07-30-2024 12:03 AM

The issue in my case is the field i am look at is computername instead of host.

below is the deployement.

 

All windows servers ----> forwarder server ----> splunk

in splunk host will be forwarder server i.e 1 instead of the backend servers sending data.

these queries work on host source sourcetype and index fields.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-30-2024 12:21 AM

Hi @Nawab ,

to use computername instead host youcannot use tstats and the search is slower, so try this:

with perimeter.csv lookup

index=* 
| stats count BY sourcetype ComputerName
| append [ 
     | inputlookup perimeter.csv 
     | eval count=0 
     | fields ComputerName sourcetype count ]
| stats sum(count) AS total BY sourcetype ComputerName
| where total=0

without lookup:

index=* 
| stats count latest(_time) AS _time BY sourcetype ComputerName
| eval period=if(_time<now()-3600,"previous,"latest")
| stats 
     dc(period) AS period_count
     values(period) AS period
     BY sourcetype ComputerName
| where period_count=1 AND period="previous"

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-30-2024 12:40 AM

Hi @Nawab ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-29-2024 04:00 AM

Hi @Nawab ,

if you have a list of hosts to monitor, you could put it in a lookup (called e.g. perimeter.csv and containing at least two columns: sourcetype, host) and run a search like the following:

| tstats 
     count 
     WHERE index=* 
     BY sourcetype host
| append [ 
     | inputlookup perimeter.csv 
     | eval count=0 
     | fields host sourcetype count ]
| stats sum(count) AS total BY sourcetype host
| where total=0

if you don't have this list and you want to check hosts that sent logs in the last weeb but not in tha last hour, you could run:

| tstats 
     count 
     latest(-time) AS _time
     WHERE index=* 
     BY sourcetype host
| eval period=if(_time<now()-3600,"previous,"latest")
| stats 
     dc(period) AS period_count
     values(period) AS period
     BY sourcetype host
| where period_count=1 AND period="previous"

 The first solution gives you more control but requires to manage the perimeter lookup.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-29-2024 10:30 AM
Hi
this is answer from Community Slack

Slackbot
17:08
There are a lot of options for finding hosts or sources that stop submitting events:
Meta Woot! https://splunkbase.splunk.com/app/2949/
TrackMe https://splunkbase.splunk.com/app/4621/
Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/
Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...
Some helpful posts:
https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe
https://www.duanewaddle.com/proving-a-negative/
r. Ismo
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...