Hi!
How could I set up this email alerts on missing forwarders? I'd like to receive both realtime alerts and a daily report on missing agents.
I tried to use search from Distributed Management Console:
| inputlookup dmc_forwarder_assets | makemv delim=" " avg_tcp_kbps_sparkline | eval sum_kb = if (status == "missing", "N/A", sum_kb) | eval avg_tcp_kbps_sparkline = if (status == "missing", "N/A", avg_tcp_kbps_sparkline) | eval avg_tcp_kbps = if (status == "missing", "N/A", avg_tcp_kbps) | eval avg_tcp_eps = if (status == "missing", "N/A", avg_tcp_eps) | dmc_rename_forwarder_type(forwarder_type) | dmc_time_format(last_connected) | fields hostname, forwarder_type, version, os, arch, status, last_connected, sum_kb, avg_tcp_kbps_sparkline, avg_tcp_kbps, avg_tcp_eps | search hostname="***" | search status="missing" | rename hostname as Instance, forwarder_type as Type, version as Version, os as OS, arch as Architecture, status as Status, last_connected as "Last Connected to Indexers", sum_kb as "Total KB", avg_tcp_kbps_sparkline as "Average KB/s Over Time", avg_tcp_kbps as "Average KB/s", avg_tcp_eps as "Average Events/s"
but it only works when run within DMC, if i try to create a report out of it - it doesn't work, I guess it's because lookup table is under DMC app:
/opt/splunk/etc/apps/splunk_management_console/lookups/dmc_forwarder_assets.csv
How can I build a scheduled report and a realtime alert for my goal?
... View more