Splunk Search

Network Toolkit: How to ping hosts from a search

rohitmaheshwari
Explorer

I have a search that gives me a column with hostnames

host
A
B
C

I am trying to use the network toolkit application from Splunk base to ping these hosts to see if they are still alive.

for example
if I have search such as this:

index=abc | stats values(host) as host | mvexpand host

How can I add another column using the |ping command or any other command to see if I am able to receive a status on these servers?

0 Karma
1 Solution

Sukisen1981
Champion

hi @rohitmaheshwari
you need to use the map command, The ping command in this app which gives info like dest,sent , packet loss etc are all based on the host field , which is a ip address.
Try this in your network toolkit app

index=abc | stats values(host) as host | mvexpand host | map search="| ping host=$host$  count=1 |  eval dest=if(isnull(dest),host,dest) | fields dest sent received packet_loss min_ping avg_ping max_ping jitter | eval row="Value" | transpose column_name=Data header_field=row"

NOTE : The command /app itself is a bit slow, strongly suggest to limit initial host set to only 3 ips at first
See the output and then decide how to proceed further, all I am doing above is passing each host value from your index into the ping command, it works like a for loop.

View solution in original post

lamelendrez
Loves-to-Learn Lots

How could I do a incorporate an inputlookup to the search to change the IP address to a device name?

0 Karma

Sukisen1981
Champion

hi @rohitmaheshwari
you need to use the map command, The ping command in this app which gives info like dest,sent , packet loss etc are all based on the host field , which is a ip address.
Try this in your network toolkit app

index=abc | stats values(host) as host | mvexpand host | map search="| ping host=$host$  count=1 |  eval dest=if(isnull(dest),host,dest) | fields dest sent received packet_loss min_ping avg_ping max_ping jitter | eval row="Value" | transpose column_name=Data header_field=row"

NOTE : The command /app itself is a bit slow, strongly suggest to limit initial host set to only 3 ips at first
See the output and then decide how to proceed further, all I am doing above is passing each host value from your index into the ping command, it works like a for loop.

Sukisen1981
Champion

hi @rohitmaheshwari
Please try out and accept the answer if this works for you

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...