https://community.splunk.com/t5/Monitoring-Splunk/Silent-Log-Source/m-p/711862#M10732 <P>looks nice, but how to do the correlation with it?</P> Mon, 17 Feb 2025 14:10:32 GMT Sultan77 2025-02-17T14:10:32Z https://community.splunk.com/t5/Monitoring-Splunk/Silent-Log-Source/m-p/711848#M10729 <P>Good day everyone.</P><P>I am trying to monitor the environment hosts whether if any stopped sending logs.</P><P>The challenge here to make through content management &gt; correlation search.</P><P>So it can be scheduled every ex: 2 hours.</P><P>any idea?</P> Mon, 17 Feb 2025 12:38:35 GMT https://community.splunk.com/t5/Monitoring-Splunk/Silent-Log-Source/m-p/711848#M10729 Sultan77 2025-02-17T12:38:35Z https://community.splunk.com/t5/Monitoring-Splunk/Silent-Log-Source/m-p/711849#M10730 <P>Splunk is not good at finding things which aren't there - normally you need to give it a list of what to expect and then check to see which of those are there. For example, you could create a list of hosts that are normally sending events to Splunk and count the events from those hosts over a period of time. Any hosts which don't have events may have stopped sending events.</P> Mon, 17 Feb 2025 12:53:58 GMT https://community.splunk.com/t5/Monitoring-Splunk/Silent-Log-Source/m-p/711849#M10730 ITWhisperer 2025-02-17T12:53:58Z https://community.splunk.com/t5/Monitoring-Splunk/Silent-Log-Source/m-p/711850#M10731 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/276535">@Sultan77</a>&nbsp;,</P><P>you have two choices:</P><P>create a lookup (called e.g. perimeter.csv and containing at list only one field: "host") containing the list of hosts to monitor and run a search like the following:</P><LI-CODE lang="markup">| tstats count where index=* earliest=-2h latest=now BY host | append [ | inputlookup perimeter.csv | eval count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0</LI-CODE><P>otherwise, if you don't want to create and manage the lookup, you could check if an host sent logs e.g. in the last 30 days but not in the last 2 hours:</P><LI-CODE lang="markup">| tstats count latest(_time) AS _time where index=* earliest=-30d latest=now BY host | where _time&lt;(now()-7200</LI-CODE><P>the second search requires less maintenance but gives you less control.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 17 Feb 2025 12:57:35 GMT https://community.splunk.com/t5/Monitoring-Splunk/Silent-Log-Source/m-p/711850#M10731 gcusello 2025-02-17T12:57:35Z https://community.splunk.com/t5/Monitoring-Splunk/Silent-Log-Source/m-p/711862#M10732 <P>looks nice, but how to do the correlation with it?</P> Mon, 17 Feb 2025 14:10:32 GMT https://community.splunk.com/t5/Monitoring-Splunk/Silent-Log-Source/m-p/711862#M10732 Sultan77 2025-02-17T14:10:32Z https://community.splunk.com/t5/Monitoring-Splunk/Silent-Log-Source/m-p/711921#M10733 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/276535">@Sultan77</a>&nbsp;,</P><P>sorry, what do you mean with correlation with it?</P><P>Ciao.</P><P>Giuseppe</P> Tue, 18 Feb 2025 15:14:17 GMT https://community.splunk.com/t5/Monitoring-Splunk/Silent-Log-Source/m-p/711921#M10733 gcusello 2025-02-18T15:14:17Z