Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: UF Status #2

Open
hurricanenick opened this issue Mar 15, 2019 · 1 comment
Open

Feature Request: UF Status #2

hurricanenick opened this issue Mar 15, 2019 · 1 comment

Comments

@hurricanenick
Copy link

We should implement some kind of system that allows us to monitor the status of Splunk on a UF. If a UF is not sending any logs to the "_internal" index, that is a good indication that Splunk is not running, there is a problem with the configuration, or there is a network issue. It would make a lot of sense to aggregate all of this into a single alert instead of having multiple alerts for all of the data sources that UF would normally be sending (obviously if logs can't get to the indexers, everything will be "broken"). This kind of alert is a lot clearer on what issue to look into. Perhaps another way to think of this would be the heartbeat concept.
@hurricanenick
Copy link
Author

https://www.function1.com/2017/12/tips-tricks-splunks-monitoring-console

This article has a section on how you would find a "missing" universal forwarder which may help in providing a more accurate output (if we want to get that granular). It uses the DMC asset lookup generator. We could bundle that in as a scheduled search to generate a file that we use for this functionality.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hurricanenick