Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

i need and when a splunk agent goes down or stops

rndp89
Explorer
‎05-10-2018 09:02 PM

i have 30 servers, out of which I want to monitor splunk agents of only 4 servers

i have the following query.

index=_internal data_host=server1 OR data_host=server2 OR data_host=server3 OR data_host=server4 | stats count by data_host

how to create alert for the server which doesn't show up in the result table?
Alert should contain the server name which is not/stopped reporting data to splunk controller

For example:- server2 went down or the splunk agent of server2 went down for some reason.
Alert should say "Server2 is not reporting data"

Tags (2)
0 Karma
Reply

niketn
Legend
‎05-11-2018 06:12 AM

@rndp89 by Splunk Agent do you mean when Universal Forwarders on Deployment Clients stop working?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

mayurr98
Super Champion
‎05-10-2018 10:35 PM

hey try this

| metadata type=hosts index=* OR index=_internal 
| eval age = now() - recentTime 
| eval status= case(age < 1800,"Running",age > 1800,"DOWN") 
| convert ctime(recentTime) AS LastActiveOn 
| eval age=tostring(age,"duration") 
| eval host = upper(host) 
| table host age LastActiveOn status 
| rename host as "Forwarder Name", age as "Last Heartbeat(min)",LastActiveOn as "Last Active On",status as Status 
| where Status= "DOWN"

OR you can have a look at this answer:
https://answers.splunk.com/answers/318037/how-to-create-an-alert-to-trigger-an-email-when-a.html

let me know if this helps!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...