I have been using Pingstatus to search for PCs that are in an "Up" state and looking at the number of connected users to find a load balancer issue. This works perfectly as a search, but when I try to set up an alert for this, I receive no errors, but also receive no alerts.
When troubleshooting, the search returns no results. It flags my pingstatus call as an "Unknown command 'pingstatus'. Do you mean 'sistats'?"
I've tried playing with the permissions of the Pingstatus app to make sure it was running, but it runs in the Search and Reporting app... which I assume is where alerting runs out of anyway.
Help?
sourcetype="VDI_Server_IP" |pingstatus url as IP1| table DataCenter, IP1, pingdelay|sort -DataCenter|eval range = if(pingdelay >0, "1","0")|stats sum(range) by DataCenter|rename sum(range) as check
The README.txt explains that you need to set up commands.conf and authorize.conf for the command.
Copy the bin/pingstatus.py bin/ping.py and (optional) bin/ping.pyc files to your
$SPLUNK_HOME/etc/system/bin directory. Then, in your local
$SPLUNK_HOME/etc/system/local directory, create or edit existing authorize.conf
and commands.conf.
In commands.conf add:
[pingstatus]
FILENAME = pingstatus.py
In authorize.conf add:
[capability::run_script_pingstatus]
[role_admin]
run_script_pingstatus = enabled
Restart Splunk to test the commmand.