https://community.splunk.com/t5/Splunk-Search/Alert-when-firewall-stops-reporting-to-syslog/m-p/746462#M241649 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/310274">@te25</a>&nbsp;</P><P>This might work, it assumes the lookup has a list of firewalls with a "host" field:</P><LI-CODE lang="markup">| inputlookup firewall_lookup.csv | eval reported=0 | append [ search index=yourIndex sourcetype=pan:traffic earliest=-15m | stats count by host | eval reported=1 | fields firewall reported ] | stats max(reported) as reported by host | rex field=host "(?&lt;pair&gt;[^0-9]+)" | stats sum(reported) as reporting_count, values(host) as firewalls by pair | where reporting_count=0 | table pair firewalls</LI-CODE><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Mon, 19 May 2025 11:58:49 GMT livehybrid 2025-05-19T11:58:49Z https://community.splunk.com/t5/Splunk-Search/Alert-when-firewall-stops-reporting-to-syslog/m-p/746459#M241647 <P>Hello.&nbsp;<BR />I am working on creating an alert in Splunk for detecting when a firewall stops sending logs. We have all logs from firewalls forwarded to syslog in Splunk as sourcetype=pan:traffic . The problem is we have ha-pairs/ active and passive firewall and I don't see how to construct the query to check when BOTH firewalls (let's say active city-fw01 and passive city-fw02) don't send logs. We have more than 100 devices so I am using a lookup table with the list.&nbsp;<BR />Any idea would be great, thanks.<BR /><BR /></P> Mon, 19 May 2025 11:40:31 GMT https://community.splunk.com/t5/Splunk-Search/Alert-when-firewall-stops-reporting-to-syslog/m-p/746459#M241647 te25 2025-05-19T11:40:31Z https://community.splunk.com/t5/Splunk-Search/Alert-when-firewall-stops-reporting-to-syslog/m-p/746460#M241648 <P>Have your lookup return the common name for the ha pair and detect when the pair has not sent logs (recently)</P> Mon, 19 May 2025 11:48:24 GMT https://community.splunk.com/t5/Splunk-Search/Alert-when-firewall-stops-reporting-to-syslog/m-p/746460#M241648 ITWhisperer 2025-05-19T11:48:24Z https://community.splunk.com/t5/Splunk-Search/Alert-when-firewall-stops-reporting-to-syslog/m-p/746462#M241649 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/310274">@te25</a>&nbsp;</P><P>This might work, it assumes the lookup has a list of firewalls with a "host" field:</P><LI-CODE lang="markup">| inputlookup firewall_lookup.csv | eval reported=0 | append [ search index=yourIndex sourcetype=pan:traffic earliest=-15m | stats count by host | eval reported=1 | fields firewall reported ] | stats max(reported) as reported by host | rex field=host "(?&lt;pair&gt;[^0-9]+)" | stats sum(reported) as reporting_count, values(host) as firewalls by pair | where reporting_count=0 | table pair firewalls</LI-CODE><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Mon, 19 May 2025 11:58:49 GMT https://community.splunk.com/t5/Splunk-Search/Alert-when-firewall-stops-reporting-to-syslog/m-p/746462#M241649 livehybrid 2025-05-19T11:58:49Z https://community.splunk.com/t5/Splunk-Search/Alert-when-firewall-stops-reporting-to-syslog/m-p/746475#M241650 <P>Hi</P><P>here is list of different articles how this can do in splunk.</P><P>There are a lot of options for finding hosts or sources that stop submitting events:</P><UL><LI>Meta Woot! <A href="https://splunkbase.splunk.com/app/2949/" target="_blank">https://splunkbase.splunk.com/app/2949/ </A></LI><LI>TrackMe <A href="https://splunkbase.splunk.com/app/4621/" target="_blank">https://splunkbase.splunk.com/app/4621/ </A></LI><LI>Broken Hosts App for Splunk <A href="https://splunkbase.splunk.com/app/3247/" target="_blank">https://splunkbase.splunk.com/app/3247/ </A></LI><LI>Alerts for Splunk Admins ("ForwarderLevel" alerts) <A href="https://splunkbase.splunk.com/app/3796/" target="_blank">https://splunkbase.splunk.com/app/3796/ </A></LI><LI>Monitoring Console <A href="https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring </A></LI><LI>Deployment Server <A href="https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarder_warnings" target="_blank">https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarder_warnings</A></LI></UL><P>Some helpful posts:</P><UL><LI><A href="https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe" target="_blank">https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe</A></LI><LI><A href="https://www.duanewaddle.com/proving-a-negative/" target="_blank">https://www.duanewaddle.com/proving-a-negative/</A></LI></UL><P>&nbsp;</P> Mon, 19 May 2025 14:46:52 GMT https://community.splunk.com/t5/Splunk-Search/Alert-when-firewall-stops-reporting-to-syslog/m-p/746475#M241650 isoutamo 2025-05-19T14:46:52Z