Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write a search to display forwarders missing at a certain point in time?

AaronMoorcroft
Communicator
‎10-31-2016 05:47 AM

Hi Guys

Is there a search that can pull back the forwarders that are missing / not sending data at a point in time, so if 100 were reporting in yesterday, I'm after a report that looks at what's sending logs now and compare to what was sending in at the same time yesterday and display the missing forwarders at this point in time.

I hope that makes sense.

Thanks

Tags (3)
Reply

skoelpin
SplunkTrust
SplunkTrust
‎10-31-2016 06:35 AM

Try this

index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort - count
0 Karma
Reply

AaronMoorcroft
Communicator
‎10-31-2016 08:53 AM

Hey, thank you.

That's not quite what I need but it will help me with a different task I have so thank you 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...