Splunk search for Time taken to restart Splunk

Copy
index=_audit (action="splunkShuttingDown" OR action="splunkStarting") | eval Date=strftime(_time, "%b %d, %Y") | transaction splunk_server startswith=action="splunkShuttingDown" endswith=action="splunkStarting" | eval duration=round(duration/60, 2) |table Date splunk_server duration| rename duration as "Time taken to restart (sec)" splunk_server as "Splunk Server"
This Splunk search will show all times that the any Splunk servers have been restarted within the timeframe selected. The search will also output how long it took for the Splunk server to restart. This search can be helpful to identify any Splunk servers that are experiencing longer than usual restart times.
0 comments

Category:

General Splunk


Tags:

Admin general audit

Search Commands:

Sign in or Register to submit a comment