Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to make a line chart that shows the up time of a forwarder?

allen_edmondso1
New Member
‎12-07-2016 10:09 AM

Hi,

We have a number of forwarders in our Splunk Enterprise. And I've been asked to chart the "uptime" of the forwarders in a monthly report. I've no idea how to do that.

I have made an alert to email me using the metadata command based on type=host if an index hasn't been received in the last 300 seconds. But I need a chart showing when it has been up or down...

Thanks
Allen

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adamsaul
Communicator
‎12-07-2016 10:54 AM

allen_edmonson,

Have you taken a look at "Settings" then the "Monitoring Console"? Enabling Forwarder Monitor will allow you to build these reports pretty quickly.
Splunk Docs :: Set up Forwarder Monitoring

Adam

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adamsaul
Communicator
‎12-07-2016 10:54 AM

allen_edmonson,

Have you taken a look at "Settings" then the "Monitoring Console"? Enabling Forwarder Monitor will allow you to build these reports pretty quickly.
Splunk Docs :: Set up Forwarder Monitoring

Adam

0 Karma
Reply
Solved! Jump to solution

adamsaul
Communicator
‎12-12-2016 07:53 AM

allenedmondson,

Glad it worked out for you!

0 Karma
Reply
Solved! Jump to solution

allenedmondson
New Member
‎12-07-2016 11:15 AM

Thanks for your answers. I am not at work at the moment... so can't get the exact search. But it was based on one of the examples for the metadata command. @Somesoni2, can you give an example of the summery index data option? Say I am using only one index..
I will also look at the forwarder monitoring option when I get in to work....thanks.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-07-2016 10:48 AM

When you use the metadata command, what index do you use? (or if you can provide your metadata command). One way would to be use a timechart command to see when there was an event appearing in (that) index from the host. This can be expensive based on which index is being used (how much data that index has). Other option would be setup a summary index to capture the trend/timechart data at frequent interval and chart based off summary index data (already summarized so will be optimal).

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-07-2016 11:24 AM

Some good readings are available here on summary indexing

http://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/Usesummaryindexing
http://www.splunk.com/view/SP-CAAACZW (video)
https://wiki.splunk.com/Community:Summary_Indexing

0 Karma
Reply
Solved! Jump to solution

allenedmondson
New Member
‎12-08-2016 01:36 AM

This is the search that generates the alert if I don't see anything in the last 5 minutes:

| metadata type=hosts index=Exchange | convert ctime(RecentTime) as recent_Time | where lastTime < (now() - 300) | convert timeformat="%d/%b/%Y %H:%M:%S" ctime(recentTime) | convert timeformat="%d/%b/%Y %H:%M:%S" ctime(lastTime) | convert timeformat="%d/%b/%Y %H:%M:%S" ctime(firstTime)

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...