https://community.splunk.com/t5/Alerting/How-to-trigger-alert-if-host-is-missing-reporting-based-on/m-p/606559#M14029 <P>Thank you so much , logic works .</P> Thu, 21 Jul 2022 19:10:50 GMT vikas_gopal 2022-07-21T19:10:50Z https://community.splunk.com/t5/Alerting/How-to-trigger-alert-if-host-is-missing-reporting-based-on/m-p/606556#M14027 <P>Hi Experts,</P> <P>I want to trigger an alert when a particular host for source=WinEventLog:Security is not reporting to splunk from last 1 hour. I have a list of 30 critical hosts and for those I have created a csv lookup as shown below</P> <P><STRONG>DC_Machines.csv</STRONG></P> <P>&nbsp;</P> <LI-SPOILER>host&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; source<BR />abc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WinEventLog:Security<BR />bcd&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WinEventLog:Security<BR />xyz&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WinEventLog:Security</LI-SPOILER> <P><STRONG>What I have achieved so far</STRONG></P> <LI-SPOILER>| inputlookup DC_Machines.csv | join type=left host [metadata type=hosts index=os_windows index=os_windows_dc ]<BR />| fillnull recentTime<BR />| where recentTime &lt; relative_time(now(), "-1h")<BR />| fields host,recentTime,source</LI-SPOILER> <P>above gave me a host from lookup table which is not reporting at all(fine) but how about those hosts which are reporting except source=WinEventLog:Security</P> <P><STRONG>What I want</STRONG><BR />above query should only return those host which is missing only one source=WinEventLog:Security</P> <P>My approach might be completely wrong or may be I am missing on something .I tried to add filter on source which is not working in above logic.</P> <P>Any suggestions please .</P> <P>Thank you in advance</P> Thu, 21 Jul 2022 19:46:23 GMT https://community.splunk.com/t5/Alerting/How-to-trigger-alert-if-host-is-missing-reporting-based-on/m-p/606556#M14027 vikas_gopal 2022-07-21T19:46:23Z https://community.splunk.com/t5/Alerting/How-to-trigger-alert-if-host-is-missing-reporting-based-on/m-p/606557#M14028 <P>You overcomplicate it <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>Just do a</P><PRE>| tstats count where sourcetype=WinEventLog:Security AND (index=os_windows OR index=os_windows_dc) AND earliest=-1h by host</PRE><P>This will give you list of hosts with corresponding events count</P><P>Now you can either append your lookup if you have just a single field named host</P><PRE>| inputlookup append=true DC_Machines.csv</PRE><P>Or do an append if your lookup has more fields</P><PRE>| append [<BR />&nbsp; | inputlookup DC_Machines.cs<BR /> | table host </PRE><P>And now you have to do the magic trick <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><PRE>| fillnull count</PRE><P>To get initial zeros for your hosts from lookup.</P><P>And finally</P><PRE>| stats sum(count) by host</PRE><P>Et voila. You can filter the results any way you want - get only zeros, or non-zeros. It's up to you.</P> Thu, 21 Jul 2022 18:40:07 GMT https://community.splunk.com/t5/Alerting/How-to-trigger-alert-if-host-is-missing-reporting-based-on/m-p/606557#M14028 PickleRick 2022-07-21T18:40:07Z https://community.splunk.com/t5/Alerting/How-to-trigger-alert-if-host-is-missing-reporting-based-on/m-p/606559#M14029 <P>Thank you so much , logic works .</P> Thu, 21 Jul 2022 19:10:50 GMT https://community.splunk.com/t5/Alerting/How-to-trigger-alert-if-host-is-missing-reporting-based-on/m-p/606559#M14029 vikas_gopal 2022-07-21T19:10:50Z