How to check since when the nodes are down under o...

aj2551988 · ‎07-13-2018

Hello,

I have a Splunk dashboard, wherein I can see there are multiple nodes down under multiple FQDN,

I opened the search for the nodes which are down and it showed below query -

host=smon* "nagios: HOST_PROBLEM:" "DOWN" | rex field=_raw "nagios: HOST_PROBLEM: (?.😞 (?.😞 DOWN: (?.*)" | dedup hostname host

The above query resulted in multiple nodes down but the result shows aggregated results for all the FQDNs.

I want to also see since when the nodes are down.

Is there any way we can check it?

![alt text][1] ![alt text][2]

[1]: /storage/temp/252199-2.jpg // showing the actual total number of nodes down.
[2]: /storage/temp/252198-1.jpg // showing the nodes which are under for the perticular FQDN

woodcock · ‎07-15-2018

Your rex is doing nothing so fix it or drop it. Maybe this?

host=smon* "nagios: HOST_PROBLEM:" "DOWN" 
| dedup hostname host
| table _time hostname host

renjith_nair · ‎07-13-2018

Hi @aj2551988,

Try

    host=smon* "nagios: HOST_PROBLEM:" "DOWN" | rex field=_raw "nagios: HOST_PROBLEM: (?.): (?.): DOWN: (?.*)" |stats latest (_time) as last_seen by host,hostname

Happy Splunking!

aj2551988 · ‎07-16-2018

Hello,

When Tried the above query, it is giving the error -

"Error in 'rex' command: Encountered the following error while compiling the regex 'nagios: HOST_PROBLEM: (?.): (?.): DOWN: (?.*)': Regex: unrecognized character after (? or (?-"

And

"The search job has failed due to an error. You may be able view the job in the Job Inspector."

renjith_nair · ‎07-16-2018

Your rex seems to be wrong. What you need to extract ? If you only host and hostname , you might not need that. If you need to extract something, post a sample event

Happy Splunking!

How to check since when the nodes are down under one particular FQDN

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes