DMC警报-缺少转发器警报无法正常工作。
我们提供了如下所示的查询,并从不同的主机服务器和不同的日期获取了输出。我只想在Universal Forwarder停止工作时发出警报。
| inputlookup dmc_forwarder_assets | makemv delim =“” avg_tcp_kbps_sparkline | eval sum_kb = if(状态==“丢失”,“ N / A”,sum_kb)| eval avg_tcp_kbps_sparkline =如果(状态==“丢失”,“ N / A”,avg_tcp_kbps_sparkline)|评估avg_tcp_kbps =如果(状态==“丢失”,“不适用”,avg_tcp_kbps)|评估avg_tcp_eps =如果(状态==“丢失”,“不适用”,avg_tcp_eps)| eval forwarder_type = case(forwarder_type ==“满”,“重型转发器”,forwarder_type ==“ uf”,“通用转发器”,forwarder_type ==“ lwf”,“轻型转发器”,1 == 1,forwarder_type)|搜索NOT [| inputlookup dmc_assets | dedup“服务器名称” |重命名“服务器名”作为主机名|字段主机名] status =丢失
预期结果:在splunk转发器停止或发送任何日志失败时获取警报。
答案 0 :(得分:0)
如果您仅对Universal转发器的结果感兴趣,可以尝试以下查询
| inputlookup dmc_forwarder_assets | makemv delim=" " avg_tcp_kbps_sparkline | eval sum_kb = if (status == "missing", "N/A", sum_kb) | eval avg_tcp_kbps_sparkline = if (status == "missing", "N/A", avg_tcp_kbps_sparkline) | eval avg_tcp_kbps = if (status == "missing", "N/A", avg_tcp_kbps) | eval avg_tcp_eps = if (status == "missing", "N/A", avg_tcp_eps) | where forwarder_type="uf" | eval forwarder_type = "Universal Forwarder" | search NOT [| inputlookup dmc_assets | dedup "servername" | rename "servername" as hostname | fields hostname] status=missing