topic Re: Notify when data ingestion is stopped in Splunk Search

Help with query to notify when data ingestion is stopped

smanojkumar — Tue, 21 Jun 2022 17:02:56 GMT

Query to find when host is stopped,
Here as mentioned in picture, the field _time stopped at the time , when the host is stopped and it's back to normal, when host is started . So need to trigger alert when host is stopped.

Re: Notify when data ingestion is stopped

gcusello — Mon, 20 Jun 2022 10:57:02 GMT

Hi @smanojkumar,

my hint is to create a simple alert like the following:

| metasearch index=ps host="*sapgut301*" process_exec=masvc | head 1

scheduling it every 5 minuts, triggered if results=0.

It's a very quick search that you can run also with an higher frequency.

If instead you want to know if there's one host missing, it's a little bit different, because you need to have a list of host to monitor and put them in a lookup (called e.g. perimeter.csv) containing at least one column (called host) and scheduling a search like the following e.g. every 5 minutes:

Ciao.

Giuseppe

Re: Notify when data ingestion is stopped

smanojkumar — Mon, 20 Jun 2022 11:38:14 GMT

Hi @gcusello ,

Thanks for your response.

If in case , we should trigger only it does not brings data for 1 hour, What will the query?

Re: Notify when data ingestion is stopped

gcusello — Mon, 20 Jun 2022 12:17:45 GMT

Hi @smanojkumar,

the query is the same, the thing to change are the Time Frame and the scheduling.

Anyway, I hint to use an high frequency (e.g. 5 minutes) because if you don't receive logs you're blind!

The minimum frequency depends on eventual delays you have in your data ingestion.

Ciao.

Giuseppe

Re: Notify when data ingestion is stopped

smanojkumar — Mon, 20 Jun 2022 12:21:32 GMT

Hi @gcusello ,

It's worked, Thanks.