Solved: Alert if any forwarder stops sending

au_chrismor · ‎05-16-2012

I want to extend the ideas for "Send an alert if machine x" stops sending data, and build the "A forwarder has gone away" alert

How can I write an alert that tells me if we have received no data from an individual machine, without having to specify the machine. I've successfully used the answers here for single machines, but I want to make it universal, and not have to either change the search or add a new one every time I start to monitor a new machine.

The problem is that all the answers I have found here (admittedly, there may be some I missed) need you to identify the machine. What I want to use for example is the absence of Windows Security Log events to find that a Windows Forwarder has dropped off, similarly Syslog on my Solaris machines, but without naming the host.

Any suggestions?

Damien_Dallimor · ‎05-16-2012

Try the Splunk Deployment Monitor App, it has built in Forwarder Monitoring and Alerting :

Missing Forwarder(s)
Quiet Forwarder(s)
Forwarder(s) Sending Less Than Expected
Forwarder(s) Sending More Than Expected

View solution in original post

Damien_Dallimor · ‎05-16-2012

Try the Splunk Deployment Monitor App, it has built in Forwarder Monitoring and Alerting :

Missing Forwarder(s)
Quiet Forwarder(s)
Forwarder(s) Sending Less Than Expected
Forwarder(s) Sending More Than Expected

au_chrismor · ‎05-16-2012

Thanks Damien.

I found the answer in DM just as your reply came in... Appreciate it