Hi,
I am currently populating a dashboard with the following search for agents:
index=_internal group=tcpin_connections | join hostname [| rest /services/deployment/server/clients splunk_server=* | eval lastPhoneHome=tostring(now()-lastPhoneHomeTime,"duration") | rename utsname to architecture] | stats min(lastPhoneHome) by clientName version architecture sourceIp
This gives me an awesome table of the agents phoned home etc.
What I would like to do is expand on this and have different panels on the dash for the following
- A list of the most recent(newest/first phoned home) agents
- A list of agents not phoning home and possibly a message as to why not?
- Any other panels anyone thinks would be of use for this scenario?
Any help in terms of how to go about writing the searches would be appreciated!
Thanks!
↧