https://community.splunk.com/t5/Getting-Data-In/How-to-detect-a-host-which-stops-sending-logs/m-p/173190#M34827 <P>Hi everyone, How do I detect a host which stops sending logs? Ideally an alert would be the optimal application of an elaborate search. So far <STRONG>|metadata type=hosts | eval age = now() - lastTime | search age &gt; 86400 | sort age d | convert ctime(lastTime) | fields age,host,lastTime</STRONG> doesn't do the trick. </P> <P>It only works for one day and then it stops producing results (we are assuming the host which stopped forwarding stays that way meaning it worked once upon a time and then it stopped working; it doesn't just start working again by itself)...hence the need to detect this condition MORE THAN a day after the host stopped forwarding. For example I want the search to produce result if a host last forwarded a log 28 days ago and since then it hasn't forwarded anything.</P> <P>Thank you!</P> Tue, 21 Oct 2014 00:46:50 GMT bbiandov 2014-10-21T00:46:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-detect-a-host-which-stops-sending-logs/m-p/173190#M34827 <P>Hi everyone, How do I detect a host which stops sending logs? Ideally an alert would be the optimal application of an elaborate search. So far <STRONG>|metadata type=hosts | eval age = now() - lastTime | search age &gt; 86400 | sort age d | convert ctime(lastTime) | fields age,host,lastTime</STRONG> doesn't do the trick. </P> <P>It only works for one day and then it stops producing results (we are assuming the host which stopped forwarding stays that way meaning it worked once upon a time and then it stopped working; it doesn't just start working again by itself)...hence the need to detect this condition MORE THAN a day after the host stopped forwarding. For example I want the search to produce result if a host last forwarded a log 28 days ago and since then it hasn't forwarded anything.</P> <P>Thank you!</P> Tue, 21 Oct 2014 00:46:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-detect-a-host-which-stops-sending-logs/m-p/173190#M34827 bbiandov 2014-10-21T00:46:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-detect-a-host-which-stops-sending-logs/m-p/173191#M34828 <P>Seems like you should just be able to increase the number you're comparing against <CODE>age</CODE>, e.g., to 86400 x 28. I suppose if you want to every day report on every host that has ever stopped sending, then you can just remove that filter entirely.</P> Tue, 21 Oct 2014 04:10:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-detect-a-host-which-stops-sending-logs/m-p/173191#M34828 gkanapathy 2014-10-21T04:10:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-detect-a-host-which-stops-sending-logs/m-p/173192#M34829 <P>Thanks gkanapathy, the challenge I am facing is that the search works just fine; but if saved as an alert one can ONLY select 1 day; sure you can change it in the GUI but once saved it reverts back to 1 day. That's what breaks it:</P> <P><A href="https://www.dropbox.com/s/2dzon27ssowqicg/splunk.png?dl=0">https://www.dropbox.com/s/2dzon27ssowqicg/splunk.png?dl=0</A></P> Tue, 21 Oct 2014 04:31:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-detect-a-host-which-stops-sending-logs/m-p/173192#M34829 bbiandov 2014-10-21T04:31:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-detect-a-host-which-stops-sending-logs/m-p/173193#M34830 <P>you need to edit the search, not the time selector.</P> Tue, 21 Oct 2014 04:34:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-detect-a-host-which-stops-sending-logs/m-p/173193#M34830 gkanapathy 2014-10-21T04:34:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-detect-a-host-which-stops-sending-logs/m-p/173194#M34831 <P>you need to run over 2/3 days to get the missing forwarder alert again and again. The problem with daily alert is metdata doesn't show you older records.</P> Tue, 21 Oct 2014 06:47:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-detect-a-host-which-stops-sending-logs/m-p/173194#M34831 linu1988 2014-10-21T06:47:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-detect-a-host-which-stops-sending-logs/m-p/173195#M34832 <P>You can use an app named : "deployement monitor"</P> Wed, 08 Jul 2015 09:10:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-detect-a-host-which-stops-sending-logs/m-p/173195#M34832 jd 2015-07-08T09:10:13Z