topic alert when host sends less than 100 logs per hour in Alerting https://community.splunk.com/t5/Alerting/alert-when-host-sends-less-than-100-logs-per-hour/m-p/304013#M5469 <P>how to see when a set of host send under 100 logs per hour? stats count wont show a value of 0. and you cant use HEAD with fields(that i know of). Whats the best way to do this?</P> Fri, 19 May 2017 16:08:40 GMT sbattista09 2017-05-19T16:08:40Z alert when host sends less than 100 logs per hour https://community.splunk.com/t5/Alerting/alert-when-host-sends-less-than-100-logs-per-hour/m-p/304013#M5469 <P>how to see when a set of host send under 100 logs per hour? stats count wont show a value of 0. and you cant use HEAD with fields(that i know of). Whats the best way to do this?</P> Fri, 19 May 2017 16:08:40 GMT https://community.splunk.com/t5/Alerting/alert-when-host-sends-less-than-100-logs-per-hour/m-p/304013#M5469 sbattista09 2017-05-19T16:08:40Z Re: alert when host sends less than 100 logs per hour https://community.splunk.com/t5/Alerting/alert-when-host-sends-less-than-100-logs-per-hour/m-p/304014#M5470 <P>need to alert on hosts sending under 100 or so logs per hour. </P> Fri, 19 May 2017 16:09:37 GMT https://community.splunk.com/t5/Alerting/alert-when-host-sends-less-than-100-logs-per-hour/m-p/304014#M5470 sbattista09 2017-05-19T16:09:37Z Re: alert when host sends less than 100 logs per hour https://community.splunk.com/t5/Alerting/alert-when-host-sends-less-than-100-logs-per-hour/m-p/304015#M5471 <P>when you say logs you mean events or source?</P> Fri, 19 May 2017 16:18:19 GMT https://community.splunk.com/t5/Alerting/alert-when-host-sends-less-than-100-logs-per-hour/m-p/304015#M5471 adonio 2017-05-19T16:18:19Z Re: alert when host sends less than 100 logs per hour https://community.splunk.com/t5/Alerting/alert-when-host-sends-less-than-100-logs-per-hour/m-p/304016#M5472 <P>logs as in events.</P> Fri, 19 May 2017 16:22:21 GMT https://community.splunk.com/t5/Alerting/alert-when-host-sends-less-than-100-logs-per-hour/m-p/304016#M5472 sbattista09 2017-05-19T16:22:21Z Re: alert when host sends less than 100 logs per hour https://community.splunk.com/t5/Alerting/alert-when-host-sends-less-than-100-logs-per-hour/m-p/304017#M5473 <P>you can use | tstats command, for the last 60 minutes every hour</P> <PRE><CODE> | tstats count where index = * by host | where count &lt; 100 </CODE></PRE> <P>save as an alert and triger where count = 0</P> <P>hope it helps</P> Fri, 19 May 2017 17:19:55 GMT https://community.splunk.com/t5/Alerting/alert-when-host-sends-less-than-100-logs-per-hour/m-p/304017#M5473 adonio 2017-05-19T17:19:55Z