Hello,
Trying to determine Best Practices for the following, and I don't want to reinvent the wheel if a Splunker had already resolved this issue.
This is for a printer dashboard.
This is a minimized small scale of reality.
Setup
• 5 printers: A, B, C, D, E
• 2 printer status’: UP, DOWN
• Dashboard will be refreshed every 5 minutes searching for the latest status of printers A – E
Process
• The 1st 5 minutes, printers A – E show status as UP
• The 2nd 5 minutes, printers A – D show status as UP, E as DOWN
Problem
• The 3rd 5 minutes, printers A – D are UP, E is ???? This is because the print server has not received any events from printer E; therefore, neither has the Splunk indexers
Possible solution (50,000 feet)
1. Lookup table that stores the last status ingested for each printer, including time
2. The next time the search is run (5 minutes later) any printers missing a status, "**No Printer Events!**", will be searched for in the lookup table
3. The dashboard will be populated with the lookup status for the printer
4. Once the dashboard is fully populated, the lookup table will be cleared of all rows and repopulated from the dashboard status (status saved in a token with time for each printer)
I think this will work, but it will be a lot of coding.
A first response* to the above might be increase the search time range from 5 minutes to 60 minutes, or 4 hours, or 24 hours, etc. Problem is at some point, a printer will have sent its status before that new time range.
Below is the reality. Case in point.
*Because of the limitation on how many images I can upload, these 3 time ranges (15 mins, 4 hours, all-time) have been combined into one image.*
![printerDB-3diffTimeRanges][1]
Notice the different statuses, especially oix21. This printer was offline between 16 minutes and 4 hours ago. If the Helpdesk only had the 15-minute view, they would not know this printer is down, because a down printer doesn’t write logs to the print server.
Now we discover printer rv44 status is “toner low”. According to our 15-minute this printer had no recent events.
This is with only 2 possible statuses/statii. There are over 15 (door open, out of paper, etc.).
* Another possibility is to have the printers send a status update every 5 minutes. We are looking into that.
I hope I did not convolute things with my explanation.
Is there a Splunk Best Practice for storing latest status (and time thereof), updating it when a new status is learned? Hmm kvstore perhaps?????
[1]: /storage/temp/284628-screenshot-3-2-2020-10-46-00-am.png
↧