×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
X_Kinkead
Explorer
Member since: ‎12-11-2020
‎09-08-2025
Community Statistics
Posts 4
Solutions 1
Karma Given 2
Karma Received 0
Member Since ‎12-11-2020
Activity Feed
View All

Re: UF missing alert for Splunk Cloud

by in Deployment Architecture
‎01-25-2021 11:19 AM
‎01-25-2021 11:19 AM
Thanks - I ended up using this query: | metadata type=hosts index=* | eval latestEventSeen=strftime(lastTime,"%x %X") | eval age_in_minutes=round((now()-lastTime)/60,0) | search age_in_minutes > 5 | search host="*" | fields host latestEventSeen age_in_minutes It seems to work as expected, after the throttling was configured.   ... View more

Is there a way to get an alert when (at the time o...

by in Deployment Architecture
‎01-21-2021 12:31 PM
‎01-21-2021 12:31 PM
Hello,   Is there a way to get an alert when (at the time of)  a UF is considered missing?  I don't mean a report of all missing UFs over all time, but when one of them goes offline recently?   In the Cloud Monitoring Console app, I see there is a screen for Forwarders:Deployment, so I copied the query for the Status & Configuration table with the hopes that might be a good jumping off point - here is my query:         | inputlookup sim_forwarder_assets | makemv delim=" " avg_tcp_kbps_sparkline | `sim_rename_forwarder_type(forwarder_type)` | search NOT [| inputlookup sim_assets | dedup serverName | rename serverName as hostname | fields hostname] | `sim_time_format(last_connected)` | fields hostname, forwarder_type, version, os, arch, status, last_connected | search hostname="***" | search status="*" | search last_connected < -20m@s | rename hostname as host, forwarder_type as Type, version as Version, os as OS, arch as Architecture, status as Status, last_connected as "Last Connected to Indexers"         As I understand it the UF status is set to 'missing' after 15 minutes of inactivity. The above search is run in a short window of say the last 30 minutes.     Is there perhaps a more direct way to get what I need?  Else is there a way to get the above to work?   Thanks for any advice!   ... View more

Re: UF parallelization for Splunk Cloud

by in Deployment Architecture
‎01-21-2021 12:15 PM
‎01-21-2021 12:15 PM
It turns out that there was a change in corporate policy which allows for each of these systems to access the 'outside' network segment, provided a business need could be given, so I'm good to go - thanks! ... View more

UF parallelization for Splunk Cloud

by in Deployment Architecture
‎12-11-2020 08:21 AM
‎12-11-2020 08:21 AM
I'm looking for advice for avoiding the 'Funnel Effect' for a small number of intermediate Universal Forwarders to about 15 cloud indexers - my best lead is to apply parallelization - has anyone had success with that, specifically to the Cloud version?  Are there alternatives?   Here is a presentation on that issue, where the problem is described at depth but the parallelization solution is only briefly touched upon: Video - https://www.splunk.com/en_us/resources/videos/worst-practices-and-how-to-fix-them.html Presentation - https://conf.splunk.com/files/2017/slides/worst-practicesand-how-to-fix-them.pdf Thanks for any advice! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-08-2025 07:29 AM
Karma given to
View All