cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Johnstone234
Loves-to-Learn
Member since: ‎10-15-2021
‎10-15-2021
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎10-15-2021
View All

Re: Search to find Agent/Server with No "Reconnect...

by in Splunk Search
‎10-15-2021 05:49 AM
‎10-15-2021 05:49 AM
@gcusello  - Yeah, the device that I am using will send me logs if and when the servers are "down" or if the device cannot reach them.   When the device is disconnected -  Agent - "Servername" - Error: Unable to reach Agent at "IP Address" When the device is connected -  Agent - "Servername" - Info: Connected to Agent at "IP Address" ... View more

Re: Search to find Agent/Server with No "Reconnect...

by in Splunk Search
‎10-15-2021 05:18 AM
‎10-15-2021 05:18 AM
@ITWhisperer  - Thanks, I am able to specify the event so I have added that to the search   index="XXXlogs" sourcetype="systemlog" eventid="connectserver" OR eventid="disconnectserver" devicename="device1" logdescription="Agent*" | stats latest(eventid) by win_server | rename citrix_win AS Server, latest(event_id) AS LatestState   From this, is there a way to have an alert fired when the "LatestState" has been "disconnectserver" for over a certain amount of time? ... View more

Re: Search to find Agent/Server with No "Reconnect...

by in Splunk Search
‎10-15-2021 04:11 AM
‎10-15-2021 04:11 AM
Hi @gcusello  The alert that I would be wanting to set up would be specifically to monitor when our monitoring device drops connection to the server, I should have noted in my original post - each of the servers in question has an agent on them that our device connects to, the alert would be to have us go and look at our device to see why the disconnect has occurred without a reconnect. I do appreciate the response, though! ... View more

Search to find Agent/Server with No "Reconnect" Ev...

by in Splunk Search
‎10-15-2021 03:15 AM
‎10-15-2021 03:15 AM
Hi,   I am hoping to get some help in creating a search, which will be turned into an alert - I am working with system logs from a monitoring device, where a log is submitted when any one of ~600 servers go down and while the server stays down a new log is dropped every ~10 mins, then if the server comes back up a "Reconnect" log is submitted. I am wanting to get the search to return me the name of a server/agent that has had at least 1 "disconnect" but no "reconnect" entry within a time period and then once a reconnect is received - the server is no longer listed. I am not very experienced with Splunk and thus far only have a search that is returning me counts of both types of events (connect/disconnect): index="XXXlogs" sourcetype="systemlog" eventid="*connectserver" devicename="device1" logdescription="Agent*" |  stats count by win_server, event_id Any help is appreciated. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-15-2021 04:15 PM