Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert when both devices in HA pair stop reporting

gstefancyk
Path Finder
‎01-26-2018 12:05 PM

I currently have an alert setup to send email when one of our infoblox servers stops sending logs based on metadata of the index and a csv lookup for hosts. This works well but the issue I am running into is that some of the devices are in an HA pair so I am constantly getting emails for the backup device not reporting. Below is my current search,

| metadata type=hosts index=infoblox
| lookup infoblox_hosts.csv host_ip as host OUTPUT host_ip as host, server_name as server
| search host=*
| where lastTime < (now() - 86400)
| convert ctime(lastTime) as LastTimeLogged
| table host,server LastTimeLogged
| sort LastTimeLogged

Can someone point me in the right direction to setup a condition to alert when both server1 and server2 have stopped reporting otherwise do nothing?

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

maciep
Champion
‎01-26-2018 05:14 PM

is there anything in your lookup that identifies which servers are part of the HA pair? maybe another column that identifies the HA IP for example?

If so, then you might be able to just worry about the latest event from that vip. Something like:

| metadata type=hosts index=infoblox 
| lookup infoblox_hosts.csv host_ip as host OUTPUT host_ip as host, server_name as server, ha_ip as vip
| search host=*
| eventstats max(lastTime) as vip_lastTime by vip
| where vip_lastTime < (now() - 86400)
| convert ctime(vip_lastTime) as LastTimeLogged
| table host,server LastTimeLogged

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

maciep
Champion
‎01-26-2018 05:14 PM

is there anything in your lookup that identifies which servers are part of the HA pair? maybe another column that identifies the HA IP for example?

If so, then you might be able to just worry about the latest event from that vip. Something like:

| metadata type=hosts index=infoblox 
| lookup infoblox_hosts.csv host_ip as host OUTPUT host_ip as host, server_name as server, ha_ip as vip
| search host=*
| eventstats max(lastTime) as vip_lastTime by vip
| where vip_lastTime < (now() - 86400)
| convert ctime(vip_lastTime) as LastTimeLogged
| table host,server LastTimeLogged
0 Karma
Reply
Solved! Jump to solution

gstefancyk
Path Finder
‎01-31-2018 04:00 AM

Thanks for the suggestion, I will give this a try and see happens.

0 Karma
Reply
Solved! Jump to solution

gstefancyk
Path Finder
‎01-31-2018 07:36 AM

Thanks maciep, works as expected after adding 3rd column to my lookup table.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...