Hello,
I have a Splunk dashboard, wherein I can see there are multiple nodes down under multiple FQDN,
I opened the search for the nodes which are down and it showed below query -
host=smon* "nagios: HOST_PROBLEM:" "DOWN" | rex field=_raw "nagios: HOST_PROBLEM: (?.😞 (?.😞 DOWN: (?.*)" | dedup hostname host
The above query resulted in multiple nodes down but the result shows aggregated results for all the FQDNs.
I want to also see since when the nodes are down.
Is there any way we can check it?
![alt text][1] ![alt text][2]
[1]: /storage/temp/252199-2.jpg // showing the actual total number of nodes down.
[2]: /storage/temp/252198-1.jpg // showing the nodes which are under for the perticular FQDN
... View more