×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jpolachak
New Member
Member since: ‎04-20-2016
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-20-2016
Activity Feed
View All

Create alert for not all hosts having data

by in Alerting
‎04-22-2016 12:07 PM
‎04-22-2016 12:07 PM
I am trying to create a alert/dashboard for our users. I am trying to create a search query where if the named process is not running on the specified hosts in the search to produce an alert. The query works great when the data is there. The issue is what if one of the hosts does not have data because its down. Then If my search included 4 hosts it will now only show 3 hosts with the named process running. I am trying to use this query. index="os" source="top" host=ns1 OR host=ns2 OR host=ns3 OR host=ns4 named earliest=-2min latest=-1min |chart count by host To test this i have just been adding another bogus host to the search query. Then trying to run it to get a result. However, if it doesn't find anything it just shows the ones running. I am new and am sure there must be an easy way to approach this that I am unaware of. I have tried adding "|search count=0" but that doesn't work if the query has no data. I was trying to originally create a graph that shows a green bar graph if its up and nothing if its down. But now I am just trying to generate an alert. Best scenario would be to come up with some visualization that shows the 4 servers and then shows no data for one of them if it goes down. ... View more

Re: How to create graph based on hardcoded hosts w...

by in Splunk Search
‎04-21-2016 10:58 AM
‎04-21-2016 10:58 AM
Well I am not sure that works. If i substitute an invalid host lets say ns5 that does not exist. I would expect to see I was trying to create a bar graph with 4 bars for each host. The issue I trying to solve was to keep 4 bar graphs when data is only received from 3 hosts. Then it will show 3 green bar graphs for the process. Then it would have an area for the host that shows no data. I am trying to create a dashboard for the helpdesk to be aware of when the DNS/named process is not running on the dns servers. Then give them some window into how to monitor this via something visual. I tried to create a single search for 4 servers using bar graphs. If they are used to seeing 4 green bar graphs then if they only see 3 of the 4. Then they know they need to escalate this. My initial search works. It just doesnt work if there is no data. I want to ensure if there no data from one of the hosts it shows as a color or something visual they can see. I want to maintain the other 3 green graphs for the 3 working servers. I just dont know how to keep those 4 "hardcoded" hosts in the search even if one of them has no data. Then create a visual red/failed item for the users to realize there is an action needed to be taken. ... View more

How to create graph based on hardcoded hosts with ...

by in Splunk Search
‎04-20-2016 07:23 AM
‎04-20-2016 07:23 AM
All, I am trying to create a dashboard search to monitor if the named process is running on our name servers. I am trying to run a search on a set number of hosts, but if the hosts contain no data set the graph to red. Here is my search: index="os" source="top" host=ns1 OR host=ns2 OR host=ns3 OR host=ns4 named earliest=-2min latest=-1min | stats count by host | eval redCount = if(count !=1,count,0) | eval greenCount = if(count = 1,count,0) |fields - count So basically, I'm looking in the last few minutes that the named process is showing up in the search. Then checking that there is only 1 line per host. If there is only 1 line the graph is green, if the number is not equal to one, turn red. My issue is, what if I have a host like ns4 that is down and shows no data from the search? Then the search just shows 3 out of the 4 hosts as green. How do I generate an error if any of the 4 hosts show no data? I am only interested in the 4 "hardcoded" hosts in my search. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM