Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

monitor to check whether the logging (receiving) is working or not !!!

basilboon
New Member
‎02-07-2013 05:48 AM

Hi Splunk Team,

First of all you got a great app !! Thanks for that !!

My master Splunk has setup correctly and forwards logs to another active splunk. Yesterday when checked the log receiving has been stopped because of the disk space in the server. It got fixed after increasing the disk space.

Now the thing is, we are trying to setup a monitor using our tool (ICINGA) just to check whether the log receiving is up to date.

Is there any command to show whether the logs are up to date ?

Let me know if you need more information.

Regards,
Basil

Tags (2)
0 Karma
Reply

basilboon
New Member
‎02-08-2013 12:06 AM

Hi Daniels,

Thanks for your reply.

The exact thing I want is to write a shell script (bash) to monitor whether the logging is working properly. The script will run in every five min and get the data (some how via shell) and send the mail to a distribution list, if only the logging is not working for the past one hour or so.

Just wanna know if there is any commands to identify this from back end (server console).

Regards,
Basil

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎02-07-2013 06:31 AM

Check out this previous Splunkbase answer. You can create an alert based on that search. You'll just need to adjust the time to be 'age > somenumber' in seconds. The example below is checking to see if there are any hosts that haven't sent events in the last two days. If the search comes up empty it means you are ok. If you get a values you can alert on them to let you know which hosts might be having issues sending data to Splunk.

http://splunk-base.splunk.com/answers/3181/how-do-i-alert-when-a-host-stops-sending-data

| metadata index=main type=hosts | eval age = now()-lastTime | where age > (2*86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime

0 Karma
Reply

basilboon
New Member
‎02-08-2013 12:06 AM

Hi Daniels,

Thanks for your reply.

The exact thing I want is to write a shell script (bash) to monitor whether the logging is working properly. The script will run in every five min and get the data (some how via shell) and send the mail to a distribution list, if only the logging is not working for the past one hour or so.

Just wanna know if there is any commands to identify this from back end (server console).

Regards,
Basil

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...