https://community.splunk.com/t5/Alerting/Phone-Home-Error-Not-Alerting-Properly/m-p/343291#M6055 <P>I suppose I misunderstood what metadata is used for. Thanks.</P> Mon, 31 Jul 2017 14:54:03 GMT drizzo 2017-07-31T14:54:03Z https://community.splunk.com/t5/Alerting/Phone-Home-Error-Not-Alerting-Properly/m-p/343288#M6052 <P>So, I have my Phone Home Error search; when I type it into the Search Bar, it pulls up all hosts not connected. However, when I try to set it up as an alert, it will only send out an Alert for the first one that disconnected. I have it Throttled, but for suppressing those with the same host.</P> <P>Also, over time, it will stop pulling computers that have been disconnected from the server for more than 7 days. The only way to get them is to do an <EM>All Time</EM> search (using the search string from the alert).</P> <P>I'm a little lost, and would be thankful for any guidance. Thanks.</P> <P><STRONG>My Search:</STRONG> </P> <PRE><CODE>| metadata type=hosts index=_internal | eval age=now()-recentTime | where age &gt; 300 | eval "Time Indexed"=strftime(_time, "%Y/%d/%m %H:%M") | eval "Computer Host"=host | eval "Time Last Connected"=tostring(age, "duration") | eval "Date Last Connected"=strftime=)recentTime, ""%+") | table "Computer Host", "Time Last Connected", "Date Last Connected" </CODE></PRE> <P><STRONG>My Alert Settings:</STRONG> </P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3299i1BBE17D6D179EF64/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 31 Jul 2017 13:54:37 GMT https://community.splunk.com/t5/Alerting/Phone-Home-Error-Not-Alerting-Properly/m-p/343288#M6052 drizzo 2017-07-31T13:54:37Z https://community.splunk.com/t5/Alerting/Phone-Home-Error-Not-Alerting-Properly/m-p/343289#M6053 <P>Try to change query like below,</P> <P>| inputlookup dmc_forwarder_assets<BR /> | search status="missing" AND os="Windows"<BR /> | fields hostname os arch forwarder_type version last_connected status <BR /> | rename hostname as Instance <BR /> | eval now=now() | eval Duration_Not_Connected=now-last_connected | where Duration_Not_Connected&lt;=2592000 | fields - last_connected now | sort Duration_Not_Connected | eval Duration_Not_Connected_Days = round(Duration_Not_Connected/86400,0)</P> Tue, 29 Sep 2020 15:09:56 GMT https://community.splunk.com/t5/Alerting/Phone-Home-Error-Not-Alerting-Properly/m-p/343289#M6053 sbbadri 2020-09-29T15:09:56Z https://community.splunk.com/t5/Alerting/Phone-Home-Error-Not-Alerting-Properly/m-p/343290#M6054 <P>Generally, when using the <CODE>metadata</CODE> command for something like this, you should be using <CODE>All time</CODE> for your search span. The way that <CODE>metadata</CODE> works is to go to buckets written within your span and give you a summary of that If you limit your search's time to a window that does not include any buckets, then you will get no summary, which is NOT what you need. So set it to <CODE>All time</CODE> (or a REALLY long time) and do not at all be concerned that you are doing a deep/expensive search, because for this particular command, you definitely are not because like <CODE>tstats</CODE>, it is operating on the metadata.</P> Mon, 31 Jul 2017 14:27:58 GMT https://community.splunk.com/t5/Alerting/Phone-Home-Error-Not-Alerting-Properly/m-p/343290#M6054 woodcock 2017-07-31T14:27:58Z https://community.splunk.com/t5/Alerting/Phone-Home-Error-Not-Alerting-Properly/m-p/343291#M6055 <P>I suppose I misunderstood what metadata is used for. Thanks.</P> Mon, 31 Jul 2017 14:54:03 GMT https://community.splunk.com/t5/Alerting/Phone-Home-Error-Not-Alerting-Properly/m-p/343291#M6055 drizzo 2017-07-31T14:54:03Z