https://community.splunk.com/t5/Splunk-Enterprise-Security/how-to-calculate-time-between-events-for-the-past-month/m-p/492852#M8428 <P>Hello, </P> <P>I have an index for a symantec produt, and I have to write a search to alert if any of the sourcetypes doesn't get any data in for a certain amount of time.</P> <P>Calculating the time is a little tricky for me, since it has to ba searches this way:</P> <P>Searching for the time differences between all events by sourcetypes for the last month, and make a summary of it.</P> <P>The alert should apear everytime the index won't get data from a certain sourcetype for longer time than the result from the search above.</P> <P>I would realy love to get some help,<BR /> thank you! </P> Sun, 24 Nov 2019 12:33:14 GMT sabinayousoubuv 2019-11-24T12:33:14Z https://community.splunk.com/t5/Splunk-Enterprise-Security/how-to-calculate-time-between-events-for-the-past-month/m-p/492852#M8428 <P>Hello, </P> <P>I have an index for a symantec produt, and I have to write a search to alert if any of the sourcetypes doesn't get any data in for a certain amount of time.</P> <P>Calculating the time is a little tricky for me, since it has to ba searches this way:</P> <P>Searching for the time differences between all events by sourcetypes for the last month, and make a summary of it.</P> <P>The alert should apear everytime the index won't get data from a certain sourcetype for longer time than the result from the search above.</P> <P>I would realy love to get some help,<BR /> thank you! </P> Sun, 24 Nov 2019 12:33:14 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/how-to-calculate-time-between-events-for-the-past-month/m-p/492852#M8428 sabinayousoubuv 2019-11-24T12:33:14Z https://community.splunk.com/t5/Splunk-Enterprise-Security/how-to-calculate-time-between-events-for-the-past-month/m-p/492853#M8429 <P>Don't reinvent the wheel; this has been solved many times including:<BR /> Meta Woot!: <A href="https://splunkbase.splunk.com/app/2949/">https://splunkbase.splunk.com/app/2949/</A><BR /> TrackMe: <A href="https://splunkbase.splunk.com/app/4621/">https://splunkbase.splunk.com/app/4621/</A>,<BR /> Broken Hosts App for Splunk: <A href="https://splunkbase.splunk.com/app/3247/">https://splunkbase.splunk.com/app/3247/</A><BR /> Alerts for Splunk Admins ("ForwarderLevel" alerts): <A href="https://splunkbase.splunk.com/app/3796/">https://splunkbase.splunk.com/app/3796/</A><BR /> Splunk Security Essentials(<A href="https://docs.splunksecurityessentials.com/features/sse_data_availability/):">https://docs.splunksecurityessentials.com/features/sse_data_availability/):</A> <A href="https://splunkbase.splunk.com/app/3435/">https://splunkbase.splunk.com/app/3435/</A><BR /> Monitoring Console: <A href="https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring">https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring</A><BR /> Deployment Server: <A href="https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarder_warnings">https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarder_warnings</A></P> Mon, 25 Nov 2019 05:29:57 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/how-to-calculate-time-between-events-for-the-past-month/m-p/492853#M8429 woodcock 2019-11-25T05:29:57Z