Sourcetype not reporting in Splunk query

anandhalagaras1 — Thu, 21 Jan 2021 06:50:00 GMT

Hi Team,

We have a requirement that is I have few of the sourcetypes configured from our end which contains very important logs. So if there are no logs from those particular sourcetypes then we need to get an alert for the same. So how should we need to configure the alert.

Hence kindly guide me with the search query for the same. i.e. The condition is that the search query would be running for every 15 minutes and it should trigger an alert if any of these sourcetypes are not sending logs to splunk for every 15 minutes.

Example:

index= windows sourcetype=dns

index=firewall sourcetype=syslog

index=os sourcetype=top etc.

So kindly help me with the query.

Re: Sourcetype not reporting in Splunk query

rnowitzki — Thu, 21 Jan 2021 10:39:23 GMT

Hi @anandhalagaras1

You already have what you need basically.

Go to settings -> Sarch, Reports and Alerts, click "new Alert" in top right.

As search you would put in for example index=windows sourcetype=dns
Make sure Alert Type is set to "Scheduled" and select "Run on Cron Schedule"
Use this Cron Expression */15 * * * * (run every 15th minute).
As Time Range select "Last 15 Minutes".
As Trigger Condition set: "Number of Results" and "is equal to " 0.

At the bottom you can configure the kind of alert action you need (email, webhook posting, call the police...)

Hope this helps.
BR
Ralph

Edit: Instead of returning all the Events, it would be better (from a performance/ressource usage pov) to run a stats command like:

index=windows sourcetype=dns | stats count

And alert based on the count field.
So, once you have the alerting running, this would be a good point to optimize it.

topic Re: Sourcetype not reporting in Splunk query in Getting Data In

Sourcetype not reporting in Splunk query

Re: Sourcetype not reporting in Splunk query