Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk ITSI
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Premium Solutions
- :
- Splunk ITSI
- :
- need splunk query for this we have two hosts and w...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
need splunk query for this we have two hosts and we want to display the status for these two hosts (up/down) but one host is not available in the list that host we dill display it as down
mahendra559
New Member
03-12-2020
03:21 AM
2hosts
one host logs are not coming in to the splunk that host we want display as a Down
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-14-2020
02:23 PM
This has been solved many times including:
Meta Woot!: https://splunkbase.splunk.com/app/2949/
TrackMe: https://splunkbase.splunk.com/app/4621/,
Broken Hosts App for Splunk: https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts): https://splunkbase.splunk.com/app/3796/
Splunk Security Essentials(https://docs.splunksecurityessentials.com/features/sse_data_availability/): https://splunkbase.splunk.com/app/3435/
Monitoring Console: https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server: https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
03-14-2020
02:19 PM
| tstats count where host="A" OR host="B" by host
| append [|makeresults
| eval host=split("A,B",",")
| mvexpand host
| fields - _*]
| stats values(count) as status by host
| fillnull value=Down
| rex field=status mode=sed "s/\d+/Up/g"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wmyersas
Builder
03-12-2020
07:48 AM
Sounds like you may need a lookup so you can report on what's missing.
Let's say you have a csv named important_hosts.csv with a single field named host
Now you can do something like this:
index=ndx sourcetype=srctp (host="host_1" OR host="host_2")
| stats count by host
| append
[ | inputlookup important_hosts.csv ]
| fillnull
| stats max(count) as count by host
| eval status=if(count>0,"up","down")
| fields - count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mahendra559
New Member
03-12-2020
09:24 PM
Hi I tried this query but not showing the down host
And it is metric log query I searched with system.system_up_time metric log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gaurav_maniar
Builder
03-12-2020
06:09 AM
Hi,
Run the given query for particular time range or real-time and get count of events by host.
If count is greater than 0 than host is UP, else DOWN.
host=host_1 OR host=host_2
| stats count by host
| eval status = if(count>0, "Up", "Down")
| table host, status
accept & up-vote the answer if it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wmyersas
Builder
03-12-2020
07:44 AM
If host1 isn't sending data, stats isn't going to find it
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
