https://community.splunk.com/t5/Splunk-Search/Using-an-app-generated-log-file-how-to-generate-a-search-that/m-p/282368#M85252 <P>I'll include the "Splunk newb here" disclaimer to start off with...</P> <P>I have an agent that drops a new event every 50 - 55 seconds to a log file. I'm already pulling a few reports off this log, but what I'd like to do is use this log to tell if the agent is active. So far I have the following query (which I found on Answers):</P> <PRE><CODE>index=my_index sourcetype=my_sourcetype | stats latest(_time) as latestTime by host source | eval latestTime=strftime(latestTime,"%x %X") </CODE></PRE> <P>This gives me a table that displays host, source, and latest time an event was registered in that file.</P> <P>What I'd like to do from here is perform an eval of some sort where if the latest time is older than 5m indicate the host that is missing is down. I'd like to display it... somehow. A pie chart was my initial thought.</P> <P>Any help would be appreciated.</P> Thu, 15 Dec 2016 17:20:19 GMT csprice 2016-12-15T17:20:19Z https://community.splunk.com/t5/Splunk-Search/Using-an-app-generated-log-file-how-to-generate-a-search-that/m-p/282368#M85252 <P>I'll include the "Splunk newb here" disclaimer to start off with...</P> <P>I have an agent that drops a new event every 50 - 55 seconds to a log file. I'm already pulling a few reports off this log, but what I'd like to do is use this log to tell if the agent is active. So far I have the following query (which I found on Answers):</P> <PRE><CODE>index=my_index sourcetype=my_sourcetype | stats latest(_time) as latestTime by host source | eval latestTime=strftime(latestTime,"%x %X") </CODE></PRE> <P>This gives me a table that displays host, source, and latest time an event was registered in that file.</P> <P>What I'd like to do from here is perform an eval of some sort where if the latest time is older than 5m indicate the host that is missing is down. I'd like to display it... somehow. A pie chart was my initial thought.</P> <P>Any help would be appreciated.</P> Thu, 15 Dec 2016 17:20:19 GMT https://community.splunk.com/t5/Splunk-Search/Using-an-app-generated-log-file-how-to-generate-a-search-that/m-p/282368#M85252 csprice 2016-12-15T17:20:19Z https://community.splunk.com/t5/Splunk-Search/Using-an-app-generated-log-file-how-to-generate-a-search-that/m-p/282369#M85253 <PRE><CODE>| metadata type=hosts |where recentTime &lt; now() - 300 | eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen </CODE></PRE> Thu, 15 Dec 2016 18:14:58 GMT https://community.splunk.com/t5/Splunk-Search/Using-an-app-generated-log-file-how-to-generate-a-search-that/m-p/282369#M85253 dmaislin_splunk 2016-12-15T18:14:58Z https://community.splunk.com/t5/Splunk-Search/Using-an-app-generated-log-file-how-to-generate-a-search-that/m-p/282370#M85254 <P>Maybe this will help.</P> <PRE><CODE> index=my_index sourcetype=my_sourcetype | stats latest(_time) as latestTime by host source | eval status=if (now()-latestTime &gt; 300, "Down", "Up") | eval latestTime=strftime(latestTime,"%x %X") | table host source status </CODE></PRE> Thu, 15 Dec 2016 18:15:30 GMT https://community.splunk.com/t5/Splunk-Search/Using-an-app-generated-log-file-how-to-generate-a-search-that/m-p/282370#M85254 richgalloway 2016-12-15T18:15:30Z https://community.splunk.com/t5/Splunk-Search/Using-an-app-generated-log-file-how-to-generate-a-search-that/m-p/282371#M85255 <P>Fantastic. Did exactly what I was after. Thank you!</P> Thu, 15 Dec 2016 19:20:08 GMT https://community.splunk.com/t5/Splunk-Search/Using-an-app-generated-log-file-how-to-generate-a-search-that/m-p/282371#M85255 csprice 2016-12-15T19:20:08Z