- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- No hostname list in Splunk for Nagios
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No hostname list in Splunk for Nagios
Hi,
I've installed a forwarder on my nagios machine and it send the log to my main splunk server.
My "nagios" index is good as i can earch in it and got my info.
But my problem is that chen i go to the "Alert Dashboard" my hostname list is empty.
So i look at the plugin objects and i can't fnd any Extract - hostname or something like that.
Nagios 3.2.1 and splunk 4.2.4.
Thanks.
For example i got thoses lines from the nagios index it seems quite normal :
12/5/11
5:57:29.000 PM
1323104249 SERVER01 MEMOIRE OK 1 HARD 0.259 0.174 OK: physical memory: 4.18G physical memory %=26%;80;90 physical memory=4281.14MB;814.90;2452.77;0;16378.63
host=BALLPSUP002.loglibris.grp-martiniere.fr Options| sourcetype=nagiosserviceperf Options| source=/srv/eyesofnetwork/nagios/var/log/service-perfdata.out Options
4
12/5/11
5:57:28.000 PM
1323104248 SERVER002 SSH OK 1 HARD 0.016 0.161 TCP OK - 0,000 second response time on port 22 time=0,000442s;;;0,000000;10,000000
host=BALLPSUP002.loglibris.grp-martiniere.fr Options| sourcetype=nagiosserviceperf Options| source=/srv/eyesofnetwork/nagios/var/log/service-perfdata.out Options
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks, it seems that i miss a point in the command line.
But when i try :
earliest=-24h index="nagios" nagiosevent="CURRENT HOST STATE" | rex ".+CURRENT HOST STATE: (?P
I got no elements but when i search :
earliest=-24h index="nagios" nagiosevent="SERVICE ALERT" | rex ".+SERVICE ALERT: (?P
I got the device list.
In fact when i search :
earliest=-24h index="nagios" sourcetype=nagios
I got a lot of information but in the "nagiosevent" i just got 4 elements :
SERVICE ALERT
SERVICE NOTIFICATION
GLOBAL SERVICE EVENT HANDLER
SERVICE EVENT HANDLER
But if i read you well i should have "CURRENT HOST STATE" at midnight ?
An example of what i got now :
1323164934 src_host="SERVER001" perfdata="SERVICEPERFDATA" name="FTP" severity="OK" attempt="1" statetype="HARD" executiontime="0.016" latency="0.216" reason="FTP OK - 0,005 second response time on port 21 [220 Welcome to FTP service.]" result="time=0,004622s;;;0,000000;10,000000"
host=SERVER003 Options| sourcetype=nagiosserviceperf Options| source=/srv/eyesofnetwork/nagios/var/log/service-perfdata Options| src_host=BALWPDMZ001 Options
2
12/6/11
10:48:54.000 AM
1323164934 src_host="SERVER002" perfdata="SERVICEPERFDATA" name="SERVICE_BACKUPEXEC_AGENT" severity="OK" attempt="1" statetype="HARD" executiontime="0.275" latency="0.187" reason="OK: Backup Exec Agent Br
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi 🙂
The hostname list in the Alerts Dashboard is populated by the following splunk search:
earliest=-24h index="nagios" nagiosevent="CURRENT HOST STATE" | rex ".+CURRENT HOST STATE\: (?P<device>[^;]*)(?=;)"| stats count by device
Could you please run that search and check if you have a list of devices (aka hostnames).
If the above search does not return any results, please run the following search to confirm that your nagios.log file is being indexed by splunk with the correct sourcetype:
earliest=-24h index="nagios" sourcetype=nagios
Note: the nagios log contains events labelled "CURRENT HOST STATE" which are generated by default by Nagios at midnight every day.
I also noticed that you have not changed the template in your nagios installation for the performance data, ie. the sample log data you included does not contain key=value pairs that Splunk for Nagios is expecting.
Please follow the instructions entitled "Nagios Configuration (REQUIRED)" to fix the log format of the performance data:
http://splunk-base.splunk.com/apps/22374/splunk-for-nagios
Note: if you are using pnp4nagios or similar to generate rrd graphs then changing the log format of the performance data as above may break your rrd graphs. I am currently testing a methodology to create a new sourcetype so that both pnp4nagios and Splunk for Nagios can be used at the same time. Watch this space 🙂
All the best,
Luke 🙂
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
