https://community.splunk.com/t5/Alerting/How-to-create-an-alert-if-no-data-is-generated-from-a-host/m-p/186446#M3113 <P>Here's a quick way to check for hosts not having sent data in a while:</P> <PRE><CODE>| tstats latest(_time) as latest where index=* by host | where latest &lt; relative_time(now(), "-1d") </CODE></PRE> <P>Change the <CODE>-1d</CODE> according to your needs, run the above search over at least twice the scheduled interval.</P> Tue, 19 Aug 2014 13:24:12 GMT martin_mueller 2014-08-19T13:24:12Z https://community.splunk.com/t5/Alerting/How-to-create-an-alert-if-no-data-is-generated-from-a-host/m-p/186441#M3108 <P>I want to run a search in splunk to find out that all the devices attached to the splunk server are generating logs. If I dont hear from a device I should receive a alert.</P> <P>thanks</P> Tue, 19 Aug 2014 09:48:49 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-alert-if-no-data-is-generated-from-a-host/m-p/186441#M3108 ashari 2014-08-19T09:48:49Z https://community.splunk.com/t5/Alerting/How-to-create-an-alert-if-no-data-is-generated-from-a-host/m-p/186442#M3109 <P>Hi ashari,</P> <P>check out the <A href="http://apps.splunk.com/app/1294/">Splunk Deployment Monitor</A> there you can find some nice saved searches related to this topic ... keyword: missing forwarders</P> <P>hope that helps ...</P> <P>cheers, MuS</P> Tue, 19 Aug 2014 10:34:02 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-alert-if-no-data-is-generated-from-a-host/m-p/186442#M3109 MuS 2014-08-19T10:34:02Z https://community.splunk.com/t5/Alerting/How-to-create-an-alert-if-no-data-is-generated-from-a-host/m-p/186443#M3110 <P>can we do this without splunk deployment monitor app.</P> Tue, 19 Aug 2014 10:38:22 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-alert-if-no-data-is-generated-from-a-host/m-p/186443#M3110 ashari 2014-08-19T10:38:22Z https://community.splunk.com/t5/Alerting/How-to-create-an-alert-if-no-data-is-generated-from-a-host/m-p/186444#M3111 <P>We had similar siutation and a heartbeat from the other system comes once in every 5 minute. So I'm doing that as a "saved Search" and run every 1 minute and checks data for the previous 6 minutes to see if there is a heartbeat. Else alert. </P> <P>The logic is:</P> <PRE><CODE>index=myindex earliest=-6m@s &lt;your_some_more_Search&gt; | stats count as COUNT_HEARTBEAT | where COUNT_HEARTBEAT=0 </CODE></PRE> Tue, 19 Aug 2014 10:47:30 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-alert-if-no-data-is-generated-from-a-host/m-p/186444#M3111 koshyk 2014-08-19T10:47:30Z https://community.splunk.com/t5/Alerting/How-to-create-an-alert-if-no-data-is-generated-from-a-host/m-p/186445#M3112 <P>sure, although there are a lot of search macros in the saved searches. If you look at the searches you will get an idea how it can be done.<BR /> Otherwise use a lookup file which contains all your forwarder hostnames and check if all of them were seen in the past x minutes. Take a look at this <A href="http://answers.splunk.com/answers/73268/search-for-hosts-in-a-lookup-but-not-in-splunk">http://answers.splunk.com/answers/73268/search-for-hosts-in-a-lookup-but-not-in-splunk</A></P> Tue, 19 Aug 2014 10:51:33 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-alert-if-no-data-is-generated-from-a-host/m-p/186445#M3112 MuS 2014-08-19T10:51:33Z https://community.splunk.com/t5/Alerting/How-to-create-an-alert-if-no-data-is-generated-from-a-host/m-p/186446#M3113 <P>Here's a quick way to check for hosts not having sent data in a while:</P> <PRE><CODE>| tstats latest(_time) as latest where index=* by host | where latest &lt; relative_time(now(), "-1d") </CODE></PRE> <P>Change the <CODE>-1d</CODE> according to your needs, run the above search over at least twice the scheduled interval.</P> Tue, 19 Aug 2014 13:24:12 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-alert-if-no-data-is-generated-from-a-host/m-p/186446#M3113 martin_mueller 2014-08-19T13:24:12Z