topic Query for data sources not reporting an event in a specific time period. in Splunk Enterprise Security https://community.splunk.com/t5/Splunk-Enterprise-Security/Query-for-data-sources-not-reporting-an-event-in-a-specific-time/m-p/398813#M4484 <P>Hi,</P> <P>I would request a query where if a log source has stopped sending an event to splunk for a specific time period, it should alert me.</P> <P>Example index=proxy sourcetype=test_5 not giving any result for last 15 mins.</P> Wed, 17 Jul 2019 08:42:26 GMT staparia 2019-07-17T08:42:26Z Query for data sources not reporting an event in a specific time period. https://community.splunk.com/t5/Splunk-Enterprise-Security/Query-for-data-sources-not-reporting-an-event-in-a-specific-time/m-p/398813#M4484 <P>Hi,</P> <P>I would request a query where if a log source has stopped sending an event to splunk for a specific time period, it should alert me.</P> <P>Example index=proxy sourcetype=test_5 not giving any result for last 15 mins.</P> Wed, 17 Jul 2019 08:42:26 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Query-for-data-sources-not-reporting-an-event-in-a-specific-time/m-p/398813#M4484 staparia 2019-07-17T08:42:26Z Re: Query for data sources not reporting an event in a specific time period. https://community.splunk.com/t5/Splunk-Enterprise-Security/Query-for-data-sources-not-reporting-an-event-in-a-specific-time/m-p/398814#M4485 <P>@staparia ,</P> <PRE><CODE>index=proxy sourcetype=test_5 earliest=-15m|stats count|where count &gt; 0 </CODE></PRE> <P>Set an alert for 'No of events is less than 0'</P> Wed, 17 Jul 2019 09:56:51 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Query-for-data-sources-not-reporting-an-event-in-a-specific-time/m-p/398814#M4485 renjith_nair 2019-07-17T09:56:51Z Re: Query for data sources not reporting an event in a specific time period. https://community.splunk.com/t5/Splunk-Enterprise-Security/Query-for-data-sources-not-reporting-an-event-in-a-specific-time/m-p/398815#M4486 <PRE><CODE>index=*| stats count as event_count by sourcetype |append[|metadata type=sourcetypes index=* OR index=_*| eval event_count=coalesce(event_count, 0) | table sourcetype,event_count] | where event_count = 0 </CODE></PRE> Wed, 17 Jul 2019 11:48:50 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Query-for-data-sources-not-reporting-an-event-in-a-specific-time/m-p/398815#M4486 paramagurukarth 2019-07-17T11:48:50Z