Splunk search for Deployment Clients that Havent Phoned Home in 24 Hours

Copy
| rest splunk_server=local /services/deployment/server/clients | eval now=now(), diffTime=now-lastPhoneHomeTime, lastPhoneHomeTime=strftime(lastPhoneHomeTime,"%b %d, %Y %H:%M:%S") | search diffTime>86400 | table hostname ip instanceName utsname package splunkVersion lastPhoneHomeTime
This search will return a list of Deployment Clients that have not phoned home to the Deployment Server within the past 24 hours. The search will return: hostname, IP address, instanceName (typically the same as hostname), utsname (type of system, e.g. windows-x64, linux-x86-64), package (e.g. universal_forwarder, enterprise), splunkVersion. This search should be run from your Deployment Server. Can also be run from the Distributed Monitoring Console (DMC) if your Deployment Server has been configured as a search peer. If run from the DMC specify the appropriate splunk_server in the search.
0 comments
Sign in or Register to submit a comment