https://community.splunk.com/t5/Getting-Data-In/How-to-alert-if-a-syslog-device-does-not-send-data-in-a-rolling/m-p/334598#M61859 <P>The 'diff' variable (now()-recentTime) is greater than 86400 seconds (24 hours, as requested in the question.)</P> Tue, 22 Oct 2019 13:40:46 GMT decoherence 2019-10-22T13:40:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-alert-if-a-syslog-device-does-not-send-data-in-a-rolling/m-p/334594#M61855 <P>Splunkers,</P> <P>To meet a regulatory requirement, I need to alert on if a syslog device does NOT send data to the Indexers in a 24 hour period.<BR /><BR /> For example:<BR /> If host splunk1 does send data, no alert needs to be generated.<BR /> If host splunk2 does NOT send data, and alert must be generated.<BR /> This alert needs to have a hostname.</P> <P>We are leveraging Nexpose to send a synthetic transaction to devices such as Cisco ACS switches.<BR /> Search example:<BR /> index=network message_text="Login failed for user SynTran01 - sshd" | stats count by host<BR /> This search string returns a count of 16 and it will always be 16 for this specific devices type.</P> <P>Any advice would be greatly appreciated.</P> Wed, 13 Sep 2017 19:35:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-alert-if-a-syslog-device-does-not-send-data-in-a-rolling/m-p/334594#M61855 matthew_foos 2017-09-13T19:35:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-alert-if-a-syslog-device-does-not-send-data-in-a-rolling/m-p/334595#M61856 <P>Start with this query. Save it as an alert running at the desired interval and triggered when the number of hosts &gt; 0.</P> <PRE><CODE>| metadata type=hosts index=* | eval diff=now()-recentTime | where diff &gt; 86400 | fieldformat recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | table host recentTime </CODE></PRE> Wed, 13 Sep 2017 21:06:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-alert-if-a-syslog-device-does-not-send-data-in-a-rolling/m-p/334595#M61856 richgalloway 2017-09-13T21:06:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-alert-if-a-syslog-device-does-not-send-data-in-a-rolling/m-p/334596#M61857 <P>HI matthew.foos,<BR /> you should create a lookup with all the hosts you have to monitor in your perimeter (e.g. a lookup called perimeter.csv with one field called host), and the schedule an alert like this</P> <PRE><CODE>| metasearch index=* | eval host=upper(host) | stats count by host | append [ | inputlookup perimeter.csv | eval count=0, host=upper(host) | fields host count ] | stats sum(count) AS Total by host | where Total=0 </CODE></PRE> <P>You should check what is the minimum time period for monitoring because 24 hours probably is a too large period.<BR /> Bye.<BR /> Giuseppe</P> Wed, 13 Sep 2017 22:18:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-alert-if-a-syslog-device-does-not-send-data-in-a-rolling/m-p/334596#M61857 gcusello 2017-09-13T22:18:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-alert-if-a-syslog-device-does-not-send-data-in-a-rolling/m-p/334597#M61858 <P>Hi Richgalloway,</P> <PRE><CODE> Can i know what does this "where diff &gt; 86400" trying to say in the query? </CODE></PRE> Tue, 01 Oct 2019 11:34:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-alert-if-a-syslog-device-does-not-send-data-in-a-rolling/m-p/334597#M61858 sureshkumaar 2019-10-01T11:34:44Z https://community.splunk.com/t5/Getting-Data-In/How-to-alert-if-a-syslog-device-does-not-send-data-in-a-rolling/m-p/334598#M61859 <P>The 'diff' variable (now()-recentTime) is greater than 86400 seconds (24 hours, as requested in the question.)</P> Tue, 22 Oct 2019 13:40:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-alert-if-a-syslog-device-does-not-send-data-in-a-rolling/m-p/334598#M61859 decoherence 2019-10-22T13:40:46Z