Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

i need and when a splunk agent goes down or stops

rndp89
Explorer
‎05-10-2018 09:02 PM

i have 30 servers, out of which I want to monitor splunk agents of only 4 servers

i have the following query.

index=_internal data_host=server1 OR data_host=server2 OR data_host=server3 OR data_host=server4 | stats count by data_host

how to create alert for the server which doesn't show up in the result table?
Alert should contain the server name which is not/stopped reporting data to splunk controller

For example:- server2 went down or the splunk agent of server2 went down for some reason.
Alert should say "Server2 is not reporting data"

Tags (2)
0 Karma
Reply

niketn
Legend
‎05-11-2018 06:12 AM

@rndp89 by Splunk Agent do you mean when Universal Forwarders on Deployment Clients stop working?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

mayurr98
Super Champion
‎05-10-2018 10:35 PM

hey try this

| metadata type=hosts index=* OR index=_internal 
| eval age = now() - recentTime 
| eval status= case(age < 1800,"Running",age > 1800,"DOWN") 
| convert ctime(recentTime) AS LastActiveOn 
| eval age=tostring(age,"duration") 
| eval host = upper(host) 
| table host age LastActiveOn status 
| rename host as "Forwarder Name", age as "Last Heartbeat(min)",LastActiveOn as "Last Active On",status as Status 
| where Status= "DOWN"

OR you can have a look at this answer:
https://answers.splunk.com/answers/318037/how-to-create-an-alert-to-trigger-an-email-when-a.html

let me know if this helps!

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...