Splunk Search
Highlighted

We have list of hots not logging lookup hosts list can any one help with search to search in splunk find out why they are not logging

Explorer

We have list of hots not logging lookup hosts list can any one help with search to search in splunk find out why they are not logging

0 Karma
Highlighted

Re: We have list of hots not logging lookup hosts list can any one help with search to search in splunk find out why they are not logging

Esteemed Legend
0 Karma
Highlighted

Re: We have list of hots not logging lookup hosts list can any one help with search to search in splunk find out why they are not logging

Explorer

Pardon me .What exactly I meant to ask is We have list of hosts not reporting in splunk .I am looking for best search to find out in UI why they are not reporting .

0 Karma
Highlighted

Re: We have list of hots not logging lookup hosts list can any one help with search to search in splunk find out why they are not logging

Esteemed Legend

Start with the links above. If you get hung up, add a comment here.

0 Karma
Highlighted

Re: We have list of hots not logging lookup hosts list can any one help with search to search in splunk find out why they are not logging

Builder

I would start with this and see if they are even talking to the indexers at all.

index=_internal source=*splunkd.log host=(YOURHOST)

If this returns no results, there is no transmission. In that case, check the that the service is started, that the port is open. Then check the $splunkhome$/var/log/splunk/splunkd.log for clues.

If there is communication, chances are you don't have any apps in place in $splunkhome$/etc/apps.

Splunk is running, but hasn't been told what to do.

0 Karma
Highlighted

Re: We have list of hots not logging lookup hosts list can any one help with search to search in splunk find out why they are not logging

Explorer

Thanks!jduke

0 Karma
Highlighted

Re: We have list of hots not logging lookup hosts list can any one help with search to search in splunk find out why they are not logging

Motivator

Try this search on your DS,

|inputlookup dmcforwarderassets | search status="missing" | fields hostname os arch forwardertype version lastconnected status | rename hostname as Instance | eval now=now() | eval DurationNotConnected=now-lastconnected | where DurationNotConnected<=2592000 | fields - lastconnected now | sort DurationNotConnected | eval DurationNotConnectedDays = round(DurationNot_Connected/86400,0)

View solution in original post

0 Karma
Highlighted

Re: We have list of hots not logging lookup hosts list can any one help with search to search in splunk find out why they are not logging

Explorer

Thanks ! sbbadri

0 Karma