Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Host state change

rmorlen
Splunk Employee
Splunk Employee
‎06-11-2013 07:15 AM

We have 4 servers running. 2 active and 2 as offline. Doing a search similar to "hostname="MyServers*" sourcetype="status" serverState="*" | stats count by serverState" will give me a list of the servers and their current state (either active or offline). We want to be able to alert when any of the servers change state (go from active to offline or offline to active). Any suggestions on how to do this? I looked at Tracking Hosts Through a State Diagram but it didn't make sense to me.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎06-11-2013 01:55 PM

If the hosts will log their state in regular intervals you could schedule a search that runs once every interval over a span of 2 intervalls and do something like:

basesearch serverState="*" | stats dc(serverState) as states by host | where states>1

This would give you a list of servers that have changed their state if you throw in a latest(serverState) you will also get the state they are in now.

If the events are not logged at regular intervalls you can still detect state changes if you search over big enough time span.
Using a search to update a lookup table or a summary index that keeps trace of the last state and a second search to compare the lookup table/summary index to the current state is probably the way to go (this is what kristian suggests)

View solution in original post

Reply
Solved! Jump to solution
Solution

chris
Motivator
‎06-11-2013 01:55 PM

If the hosts will log their state in regular intervals you could schedule a search that runs once every interval over a span of 2 intervalls and do something like:

basesearch serverState="*" | stats dc(serverState) as states by host | where states>1

This would give you a list of servers that have changed their state if you throw in a latest(serverState) you will also get the state they are in now.

If the events are not logged at regular intervalls you can still detect state changes if you search over big enough time span.
Using a search to update a lookup table or a summary index that keeps trace of the last state and a second search to compare the lookup table/summary index to the current state is probably the way to go (this is what kristian suggests)

Reply
Solved! Jump to solution

rmorlen
Splunk Employee
Splunk Employee
‎06-12-2013 05:16 AM

Yep. This worked. Thanks!

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎06-11-2013 07:56 AM

Perhaps you should have a look at this - using a lookup-table to maintain state (and detect changes)

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

/K

0 Karma
Reply
Solved! Jump to solution

rmorlen
Splunk Employee
Splunk Employee
‎06-11-2013 09:07 AM

Whew. Great article. I still can't get when a server changes from active to offline. (so a server was online a minute ago and it is now offline). I can get a list of servers that are either active or offline.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...