How to check active nodes sending logs to Splunk forwarder and also how to check that Splunk forwarder is sending all these nodes to Indexer?
Hi @tulgabatm,
to have an overview of perimeter health status, you have at first to create a lookup containing all the systems to monitor in your perimeter (called e.g. perimeter.csv), in this lookup there must be at least one column (called e.g. host), but it can contain also other informations to enrich your results.
Then you have to run a search like this:
| metasearch index=_internal OR index=*
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv host | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0
Some clarifications:
| metasearch
so you have a faster search;total=0
means that you haven't logs from a target;index=_internal
(without index=*
) so you'll have a faster search;Ciao.
Giuseppe