By Splunk August 29, 2012
EXCERPT FROM “EXPLORING SPLUNK: SEARCH PROCESSING LANGUAGE (SPL) PRIMER AND COOKBOOK”. Kindle/iPad/PDF available for free, and hardcopy available for purchase at Amazon.
Monitoring Inactive Hosts
Problem
You need to determine which hosts have stopped sending data. A host might stop logging events if the server, or application producing logs, has crashed or been shut down. This often indicates a serious problem. If a host stops logging events, you’ll want to know about it.
Solution
Use the metadata command, which reports high-level information about hosts, sources, and source types in the Splunk indexes. This is what is used to create the Summary Dashboard. Note the pipe character is at the beginning of this search, because we’re not retrieving events from a Splunk index, rather we’re calling a data-generating command (metadata).
Use the following search to take the information on hosts, sort it so the least recently referenced hosts are first, and display the time in a readable time format:
| metadata type=hosts
| sort recentTime
| convert ctime(recentTime) as Latest_Time
You’ll quickly see which hosts haven’t logged data lately.
----------------------------------------------------
Thanks!
David Carasso