|
Hi, I've installed a forwarder on my nagios machine and it send the log to my main splunk server. My "nagios" index is good as i can earch in it and got my info. But my problem is that chen i go to the "Alert Dashboard" my hostname list is empty. So i look at the plugin objects and i can't fnd any Extract - hostname or something like that. Nagios 3.2.1 and splunk 4.2.4. Thanks. For example i got thoses lines from the nagios index it seems quite normal : 12/5/11
5:57:29.000 PM |
|
Hi :) The hostname list in the Alerts Dashboard is populated by the following splunk search: Could you please run that search and check if you have a list of devices (aka hostnames). If the above search does not return any results, please run the following search to confirm that your nagios.log file is being indexed by splunk with the correct sourcetype: Note: the nagios log contains events labelled "CURRENT HOST STATE" which are generated by default by Nagios at midnight every day. I also noticed that you have not changed the template in your nagios installation for the performance data, ie. the sample log data you included does not contain key=value pairs that Splunk for Nagios is expecting. Please follow the instructions entitled "Nagios Configuration (REQUIRED)" to fix the log format of the performance data: Note: if you are using pnp4nagios or similar to generate rrd graphs then changing the log format of the performance data as above may break your rrd graphs. I am currently testing a methodology to create a new sourcetype so that both pnp4nagios and Splunk for Nagios can be used at the same time. Watch this space :) All the best, Luke :) |
|
Hi, Thanks, it seems that i miss a point in the command line. But when i try : earliest=-24h index="nagios" nagiosevent="CURRENT HOST STATE" | rex ".+CURRENT HOST STATE: (?P<device>[^;]*)(?=;)"| stats count by device I got no elements but when i search : earliest=-24h index="nagios" nagiosevent="SERVICE ALERT" | rex ".+SERVICE ALERT: (?P<device>[^;]*)(?=;)"| stats count by device I got the device list. In fact when i search : earliest=-24h index="nagios" sourcetype=nagios I got a lot of information but in the "nagiosevent" i just got 4 elements : SERVICE ALERT SERVICE NOTIFICATION GLOBAL SERVICE EVENT HANDLER SERVICE EVENT HANDLER But if i read you well i should have "CURRENT HOST STATE" at midnight ? An example of what i got now : 1323164934 src_host="SERVER001" perfdata="SERVICEPERFDATA" name="FTP" severity="OK" attempt="1" statetype="HARD" executiontime="0.016" latency="0.216" reason="FTP OK - 0,005 second response time on port 21 [220 Welcome to FTP service.]" result="time=0,004622s;;;0,000000;10,000000"
host=SERVER003 Options| sourcetype=nagiosserviceperf Options| source=/srv/eyesofnetwork/nagios/var/log/service-perfdata Options| src_host=BALWPDMZ001 Options
2 |