Alert when No data received on index more than 24 hours

DanWilkinson — Mon, 08 Nov 2021 15:21:35 GMT

Good Morning, I am trying to create an alert to indicate that data has stopped flowing to a specific index and host after 24 hours, once created, the alert would continuously trigger. but only alerted after a new occurrence of data was received.

My current settings for my alert are as follows:

-------------------------------

Settings

Alert

Safelnk DOM East - No Data > 24 hours

Description

| metadata type=hosts index="index Hidden" |

where host="Hostname_Hidden" | eval age=abs((recentTime-now())) | where age

>86400| table host recentTime age | convert ctime(recentTime)

Scheduled:

run everyday

At:

10:00

Expires:

999

hour(s)

Trigger Conditions

Trigger alert when

Number of Results

is Greater than: 0

Trigger:

Once For each result

Throttle:

Suppress results containing field value:

Suppress triggering for:

hour(s)

Trigger Actions:

When triggered:

Email is sent

-------------------------------

data that is sent when triggered:

host recentTime age
"Hostname_Hidden" 11/08/2021 386

Re: Alert when No data received on index more than 24 hours

bowesmana — Tue, 09 Nov 2021 07:16:46 GMT

Take a look at the TrackMe app

https://splunkbase.splunk.com/app/4621/

It has some neat features for this type of alerting and the throttling/suppression may work in your case.

An alternative would be to store the alerted state in a lookup, which you then check as part of your search each time the alert runs which then will not alert again until the state shows no alert active. You could have a saved search that clears the state when data is seen.

topic Alert when No data received on index more than 24 hours in Alerting

Alert when No data received on index more than 24 hours

Re: Alert when No data received on index more than 24 hours