Solved: New Forwarder Added

amN0P · ‎07-12-2011

Is there a way of triggering an automated email alert whenever a NEW host(forwarder) starts sending logs to the Splunk Server.

amN0P · ‎08-12-2011

Thanks Vlad.

One more way of doing this..

Above search returns new forwarders added in the last 5 days.

View solution in original post

amN0P · ‎08-12-2011

Thanks Vlad.

One more way of doing this..

Above search returns new forwarders added in the last 5 days.

reedmohn · ‎12-17-2015

Doesn't this show all forwarders that have logged in the past 5 days?

Vladimir · ‎07-13-2011

Maybe it's not a right way but I used some similar query for alarm to check if I "lost" some hosts

index=my_index host earliest=-5m latest=now | dedup host | eval StatusBefore=1 | join type=left host [search index=my_index host earliest=-65m latest=-60m  | dedup host | eval StatusNow=1 ] | eval Status=if(StatusBefore=StatusNow,1,0) | table host, Status | where Status=0

This query do:

check available hosts for last 5 minutes
check available hosts for 5 minutes - 1 hour
compare two results (status = 1 - OK, status = 0 - new host)

Depending on your data polling interval you can set your own periods.

New Forwarder Added

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases