topic Alert if no events seen in X hours in Alerting

Alert if no events seen in X hours

chadroberts — Fri, 29 Apr 2011 18:24:53 GMT

Using the following search:

|metadata type=hosts |sort lastTime|convert ctime(lastTime)|fields host,lastTime

I am able to get a list of all hosts and when the last time splunk saw an event from that host. What I would like to do is create a saved search based off of this sort of search that I can use as an alert if lastTime is greater than some number of hours for any particular host. I was imagining something along the lines of

|metadata type=hosts |sort lastTime|convert ctime(lastTime)|fields host,lastTime |where NOW - lastTime > 12h

Or something along those lines. Is there a function that would give me NOW (current date/time) and if so, is this the right approach to get what I'm after?

Re: Alert if no events seen in X hours

Ledion_Bitincka — Fri, 29 Apr 2011 19:05:50 GMT

You're looking for the now() function in eval. The following search will alert you if there are any hosts that haven't sent any data for more than one hour (3600 seconds)

# compare last event's time to now 
|metadata type=hosts | eval since=now()-lastTime | search since>3600 |...

OR 
# compare indexer's time when last event came to now
|metadata type=hosts | eval since=now()-recentTime| search since>3600 |...

Re: Alert if no events seen in X hours

chadroberts — Fri, 29 Apr 2011 19:14:12 GMT

Awesome, exactly what I was looking for. Thanks!