Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Query for Splunkd Status

wvalente
Explorer
‎11-24-2017 05:34 AM

Hi Guys,

There's any query in the splunk web that I'm able to see if the splunkd is not running in a forwarder?

Tks.

Tags (1)
0 Karma
Reply

wvalente
Explorer
‎11-27-2017 05:25 AM

Tks @woodcock, @cusello and @niketnilay

I'll try this solutions.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-26-2017 02:49 PM

I would use tstats like this:

| tstats count max(_indextime) AS _time WHERE index="_*" AND host="YourHostHere"

You can build an alert from there.

Reply

niketn
Legend
‎11-25-2017 08:51 AM

@wvalente, there could be several ways to identify this.

1) By _internal index has already been called out by Giuseppe. For remaining like:
2) metadata command
3) REST api with lastPhoneHomeTime 

| rest /services/deployment/server/clients

(https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTdeploy#deployment.2Fserver.2Fclients)
4) Distributed Monitoring Console to monitor deployment status, which uses above REST API.

Refer to answer by @DalJeanis which compiles all these and more 🙂
https://answers.splunk.com/answers/525926/how-do-we-determine-whether-a-forwarder-phoned-hom.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-24-2017 06:47 AM

Hi wvalente,
you can check if your forwarders are sending logs to Splunk, reasons for this situations could be many (splunkd not running, network problems, host down, etc...) but anyway I think that you should check if a forwarder is sending logs and not if slunkd is running, anyway if there are other problems you cannot receive logs from the forwarder!

So, to check if a forwarder is sending logs you can search on _internal

index=_internal host=your_host

if you don't receive logs there's a problem.

You can create an alert using a lookup (calling e.g. perimeter.csv) containing all the hosts to monitor and running e.g. every 5 minutes the following search:

index=_internal
| eval host=upper(host)
| stats count by host
| append [ 
     | inputlookup perimeter.csv
     | eval host=upper(host), count=0
     | fields host count
     ]
| stats sum(count) AS Total by host
| where Total=0

In this way, hosts where Total=0 are missing and hosts where Total>0 are sending logs.
You can also show host status in a dashboard (also in graphic mode).

Bye.
Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...