Splunk Search

Search for peers with status=down

pc1
Path Finder

What search can I do to find peers with status=down. Looking to form an alert when this happens but can't find it within a search. 

Labels (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Splunk Monitoring console (formally known as DMC) has alert "DMC Alert - Search Peer Not Responding" which does the same thing. It basically runs following search:

 

| rest splunk_server=local /services/search/distributed/peers/
| where status!="Up"
| fields peerName, status
| rename peerName as Instance, status as Status

 

View solution in original post

net_id
New Member

Anyone coming here should know that in 9.2.0.1 this does not work any more.
Look at dmc_instances_view_default_search macro for how the monitoring console does it now.

0 Karma

somesoni2
Revered Legend

Splunk Monitoring console (formally known as DMC) has alert "DMC Alert - Search Peer Not Responding" which does the same thing. It basically runs following search:

 

| rest splunk_server=local /services/search/distributed/peers/
| where status!="Up"
| fields peerName, status
| rename peerName as Instance, status as Status

 

pc1
Path Finder

Yup, found this preexisting alert and was able to edit the Actions on it to integrate with the Slack Notifications add-on. Runs every 5 minutes to check if the server is down so this works perfectly for me. Thanks for the help!

0 Karma

Stefanie
Builder

Are you looking for hosts with forwarders installed that havent reported to Splunk in some time?

You can use the Monitoring Console to view that.  To view the missing hosts, you can click on the Forwarders tab and then Forwarders: Deployment.

For an alert, go to the Monitoring Console -> Settings -> Alerts Setup. There is an alert named DMC Alert - Missing Forwarders.

Note: A forwarder shows a status of "missing" if it has not connected to indexers within 15 minutes

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...