cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
X_Kinkead
Explorer
Member since: ‎12-11-2020
‎01-25-2021
Community Statistics
Posts 4
Solutions 1
Karma Given 2
Karma Received 0
Member Since ‎12-11-2020
Activity Feed
View All

Re: UF missing alert for Splunk Cloud

by in Deployment Architecture
‎01-25-2021 11:19 AM
‎01-25-2021 11:19 AM
Thanks - I ended up using this query: | metadata type=hosts index=* | eval latestEventSeen=strftime(lastTime,"%x %X") | eval age_in_minutes=round((now()-lastTime)/60,0) | search age_in_minutes > 5 | search host="*" | fields host latestEventSeen age_in_minutes It seems to work as expected, after the throttling was configured.   ... View more

Is there a way to get an alert when (at the time o...

by in Deployment Architecture
‎01-21-2021 12:31 PM
‎01-21-2021 12:31 PM
Hello,   Is there a way to get an alert when (at the time of)  a UF is considered missing?  I don't mean a report of all missing UFs over all time, but when one of them goes offline recently?   In the Cloud Monitoring Console app, I see there is a screen for Forwarders:Deployment, so I copied the query for the Status & Configuration table with the hopes that might be a good jumping off point - here is my query:         | inputlookup sim_forwarder_assets | makemv delim=" " avg_tcp_kbps_sparkline | `sim_rename_forwarder_type(forwarder_type)` | search NOT [| inputlookup sim_assets | dedup serverName | rename serverName as hostname | fields hostname] | `sim_time_format(last_connected)` | fields hostname, forwarder_type, version, os, arch, status, last_connected | search hostname="***" | search status="*" | search last_connected < -20m@s | rename hostname as host, forwarder_type as Type, version as Version, os as OS, arch as Architecture, status as Status, last_connected as "Last Connected to Indexers"         As I understand it the UF status is set to 'missing' after 15 minutes of inactivity. The above search is run in a short window of say the last 30 minutes.     Is there perhaps a more direct way to get what I need?  Else is there a way to get the above to work?   Thanks for any advice!   ... View more

Re: UF parallelization for Splunk Cloud

by in Deployment Architecture
‎01-21-2021 12:15 PM
‎01-21-2021 12:15 PM
It turns out that there was a change in corporate policy which allows for each of these systems to access the 'outside' network segment, provided a business need could be given, so I'm good to go - thanks! ... View more

UF parallelization for Splunk Cloud

by in Deployment Architecture
‎12-11-2020 08:21 AM
‎12-11-2020 08:21 AM
I'm looking for advice for avoiding the 'Funnel Effect' for a small number of intermediate Universal Forwarders to about 15 cloud indexers - my best lead is to apply parallelization - has anyone had success with that, specifically to the Cloud version?  Are there alternatives?   Here is a presentation on that issue, where the problem is described at depth but the parallelization solution is only briefly touched upon: Video - https://www.splunk.com/en_us/resources/videos/worst-practices-and-how-to-fix-them.html Presentation - https://conf.splunk.com/files/2017/slides/worst-practicesand-how-to-fix-them.pdf Thanks for any advice! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-25-2021 02:40 PM
Karma given to
View All