All Apps and Add-ons

Pingstatus doesn't return any data

Skippy
Explorer

I'm running splunk-6.1.1-207789-Linux-x86_64 as root on Redhat 5.8 (Tikanga)

I have a sourcetype "test_data" which contains a log entry which reads:

2014-06-14 11:49:00 ip=10.250.232.10

I run a search and I can see the ip address has been extracted from the data as expected. I now run a search like this, hoping to get a ping response time:

sourcetype="test_data" | pingstatus | table ip,pingdelay

But I don't get any pingdelay, that column in the table is just blank:

ip  pingdelay
10.250.232.10   

If I try to run pingstatus manually with this command, it doesn't appear to throw any errors...

$SPLUNK_HOME/bin/python $SPLUNK_HOME/etc/apps/pingstatus_command/bin/pingstatus.py

Any ideas? I'm a bit stumped....

Tags (1)
1 Solution

ndoshi
Splunk Employee
Splunk Employee

First, you need to start Splunk as root or sudo root as it can't call the ICMP protocol without root (or administrator on Windows) access. If you have done that, then your next step is to change your search.

I used a default name called url as the ip field to search on, which is my mistake. I should change that to ip as that would be more appropriate. I copied some of the add-on from another add-on (httpstatus), so that's why there is the legacy name. To get around that, since you don't have a url field name in your data, use this as documented in the README.txt.

sourcetype="test_data" | dedup ip | pingstatus url as ip| table ip,pingdelay

(That would be equivalant to this below, but in that case you lose your ip field name:

sourcetype="test_data" |dedup ip | rename ip as url |pingstatus| table url, pingdelay)

View solution in original post

nick405060
Motivator

I had a similar problem, where pingdelay would work sometimes and not work other times. It seems to only work if there is a field called _raw in your data. I fixed the problem (after following all the Splunk Answer pages and README, after copying files over to system/local, after changing permissions, etc) by commenting out in etc/apps/pingstatus_command/bin:

if "_raw" in r:

ndoshi
Splunk Employee
Splunk Employee

First, you need to start Splunk as root or sudo root as it can't call the ICMP protocol without root (or administrator on Windows) access. If you have done that, then your next step is to change your search.

I used a default name called url as the ip field to search on, which is my mistake. I should change that to ip as that would be more appropriate. I copied some of the add-on from another add-on (httpstatus), so that's why there is the legacy name. To get around that, since you don't have a url field name in your data, use this as documented in the README.txt.

sourcetype="test_data" | dedup ip | pingstatus url as ip| table ip,pingdelay

(That would be equivalant to this below, but in that case you lose your ip field name:

sourcetype="test_data" |dedup ip | rename ip as url |pingstatus| table url, pingdelay)

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...