topic How to edit my search to find the name of each server that has not reported in the last 4 hours? in Splunk Search

How to edit my search to find the name of each server that has not reported in the last 4 hours?

tenyang — Thu, 04 Jun 2015 01:38:18 GMT

Hi all,

I am a new one to splunk. Now i am facing some problem to get the data as I want.
I have more than 250 servers forwarding data to splunk, and the events are updated every hour as a group. For example, each server will sent the total number of interaction for the last hour. now I want to find every server name which has not sent data for the last 4 hours.
When I search the event, if there is no data sending, then the server name will not display after search, so I can't get them. My question is how can I get all server names and then find out those who are no longer sending. Please kindly help me on this.
My base search:

 interaction_count="*" LIVE| eval date = strftime(_time, "%Y-%m-%d")| stats sum(interaction_count) as sum_interaction_count by mount_name, date

Thanks in advance~~~

Re: How to edit my search to find the name of each server that has not reported in the last 4 hours?

tenyang — Thu, 04 Jun 2015 01:43:41 GMT

One thing need mention is that, if there is no interaction in 1 hour, it still send a event, but the sum(interaction_count) is 0. Now I want to find out no data reporting screen, which shows blank not 0 if we show one day event by hour.

Re: How to edit my search to find the name of each server that has not reported in the last 4 hours?

woodcock — Thu, 04 Jun 2015 13:32:49 GMT

Run something like this every hour for the last 24 hours as an Alert:

.... | stats latest(_time) AS lastReportTime BY mount_name | eval silenceSeconds = now() - lastReportTime | where silenceSeconds > 14400

Re: How to edit my search to find the name of each server that has not reported in the last 4 hours?

stephanefotso — Thu, 04 Jun 2015 14:05:02 GMT

Here you go!

interaction_count="*" LIVE|bucket _time span=4h| eval date = strftime(_time, "%Y-%m-%d")| stats sum(interaction_count) as sum_interaction_count by mount_name, date|where sum_interaction_count=0

Re: How to edit my search to find the name of each server that has not reported in the last 4 hours?

tenyang — Fri, 05 Jun 2015 06:04:25 GMT

Thanks so much Woodcock, it works!!

Re: How to edit my search to find the name of each server that has not reported in the last 4 hours?

tenyang — Fri, 05 Jun 2015 06:05:09 GMT

Thanks for your help Stephanefotso.