https://community.splunk.com/t5/Getting-Data-In/Notification-when-indexes-stop-receiving-data/m-p/651153#M110602 <P>TrackMe (<A href="https://splunkbase.splunk.com/app/4621" target="_blank">https://splunkbase.splunk.com/app/4621</A>) is the application that can help you.</P><P>&nbsp;</P><P>Also, you can built custom saved searches which looks over the latest _time of the events and alert if the time difference between current time and latest(_time) is more than threashold. Threashold can be maintained in the lookup and called in the search. For example, create a lookup called&nbsp;acceptable_diff.csv with sample entries as below -&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="meetmshah_0-1689789323346.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26344i54143AEBFF1FBA09/image-size/medium?v=v2&amp;px=400" role="button" title="meetmshah_0-1689789323346.png" alt="meetmshah_0-1689789323346.png" /></span></P><P>&nbsp;</P><P>and run the below search -&nbsp;</P><P>&nbsp;</P><P>| tstats latest(_time) as lastEventTime where index=* by index<BR />| eval current_time=now()<BR />| eval diff=current_time-lastEventTime<BR />| lookup acceptable_diff.csv index as index OUTPUTNEW acceptable_diff as acceptable_diff<BR />| eval diffWithAcceptableDiff=diff-acceptable_diff<BR />| sort 0 - lastEventTime<BR />| eval lastEventTime=strftime(lastEventTime,"%m/%d/%y %H:%M:%S")<BR />| fields index lastEventTime diffWithAcceptableDiff acceptable_diff<BR />| search diffWithAcceptableDiff&gt;0</P><P>&nbsp;</P><P>Feel free to accept the answer if it helps!</P> Wed, 19 Jul 2023 17:56:30 GMT meetmshah 2023-07-19T17:56:30Z https://community.splunk.com/t5/Getting-Data-In/Notification-when-indexes-stop-receiving-data/m-p/651149#M110601 <P>Hi, we’ve had a problem recently where data has stopped flowing to an index, and it’s a few days before we find out and then resolve. Does anyone know of a splunk 9.x feature or an add-on that you can use to monitor / alert when data stops for a set amount of time?</P> Wed, 19 Jul 2023 17:35:39 GMT https://community.splunk.com/t5/Getting-Data-In/Notification-when-indexes-stop-receiving-data/m-p/651149#M110601 lavster 2023-07-19T17:35:39Z https://community.splunk.com/t5/Getting-Data-In/Notification-when-indexes-stop-receiving-data/m-p/651153#M110602 <P>TrackMe (<A href="https://splunkbase.splunk.com/app/4621" target="_blank">https://splunkbase.splunk.com/app/4621</A>) is the application that can help you.</P><P>&nbsp;</P><P>Also, you can built custom saved searches which looks over the latest _time of the events and alert if the time difference between current time and latest(_time) is more than threashold. Threashold can be maintained in the lookup and called in the search. For example, create a lookup called&nbsp;acceptable_diff.csv with sample entries as below -&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="meetmshah_0-1689789323346.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26344i54143AEBFF1FBA09/image-size/medium?v=v2&amp;px=400" role="button" title="meetmshah_0-1689789323346.png" alt="meetmshah_0-1689789323346.png" /></span></P><P>&nbsp;</P><P>and run the below search -&nbsp;</P><P>&nbsp;</P><P>| tstats latest(_time) as lastEventTime where index=* by index<BR />| eval current_time=now()<BR />| eval diff=current_time-lastEventTime<BR />| lookup acceptable_diff.csv index as index OUTPUTNEW acceptable_diff as acceptable_diff<BR />| eval diffWithAcceptableDiff=diff-acceptable_diff<BR />| sort 0 - lastEventTime<BR />| eval lastEventTime=strftime(lastEventTime,"%m/%d/%y %H:%M:%S")<BR />| fields index lastEventTime diffWithAcceptableDiff acceptable_diff<BR />| search diffWithAcceptableDiff&gt;0</P><P>&nbsp;</P><P>Feel free to accept the answer if it helps!</P> Wed, 19 Jul 2023 17:56:30 GMT https://community.splunk.com/t5/Getting-Data-In/Notification-when-indexes-stop-receiving-data/m-p/651153#M110602 meetmshah 2023-07-19T17:56:30Z https://community.splunk.com/t5/Getting-Data-In/Notification-when-indexes-stop-receiving-data/m-p/651213#M110607 <P><SPAN>Try something like this from the metrics log.<BR />index=_internal source=*metrics.log* host=idx* series=<STRONG>yourindexname</STRONG> | stats latest(_time) as last_data_time by series | eval duration_seconds = now() - last_data_time | eval duration_human = strftime(duration_seconds, "%d days %H:%M:%S") | where duration_seconds &gt; &lt;<STRONG>your_duration_in_second</STRONG>s&gt;</SPAN></P> Wed, 19 Jul 2023 19:03:20 GMT https://community.splunk.com/t5/Getting-Data-In/Notification-when-indexes-stop-receiving-data/m-p/651213#M110607 sainag_splunk 2023-07-19T19:03:20Z https://community.splunk.com/t5/Getting-Data-In/Notification-when-indexes-stop-receiving-data/m-p/651244#M110611 <P>amazing thank you for this! i'll give this a go today</P> Thu, 20 Jul 2023 05:58:26 GMT https://community.splunk.com/t5/Getting-Data-In/Notification-when-indexes-stop-receiving-data/m-p/651244#M110611 lavster 2023-07-20T05:58:26Z