Solved: Re: Alert for No events indexed for Sourcetypes

peter_gianusso · ‎03-19-2013

Trying to create an alert that given multiple sourcetypes, will alert when there are no events by sourcetype in the last 2 hours

So if my single saved search includes 6 sourcetypes and 2 have not had an event indexed in the last 4 hours, then the alert will contain a list of the 2 sourcetypes.

I tried the following:
sourcetype="PROD_FIC_NJ_OMNI_LOG" OR sourcetype="PROD_HODA_MN_OMNI_LOG" OR sourcetype="PROD_HODA_PA_OMNI_LOG" OR sourcetype="PROD_NBCAP_OMNI_LOG") |bucket _time span=4h| stats count by sourcetype

But it only returns the sourcetypes that have events. Not the sourcetypes that have no events

Thanks!!

Ayn · ‎03-19-2013

A much quicker and more efficient approach would be to use the metadata command instead (if these sourcetypes you define have gotten events at least at some point).

| metadata type=sourcetypes | search sourcetype="PROD_FIC_NJ_OMNI_LOG" OR sourcetype="PROD_HODA_MN_OMNI_LOG" OR sourcetype="PROD_HODA_PA_OMNI_LOG" OR sourcetype="PROD_NBCAP_OMNI_LOG" | where lastTime<now()-14400

View solution in original post

Ayn · ‎03-19-2013

A much quicker and more efficient approach would be to use the metadata command instead (if these sourcetypes you define have gotten events at least at some point).

| metadata type=sourcetypes | search sourcetype="PROD_FIC_NJ_OMNI_LOG" OR sourcetype="PROD_HODA_MN_OMNI_LOG" OR sourcetype="PROD_HODA_PA_OMNI_LOG" OR sourcetype="PROD_NBCAP_OMNI_LOG" | where lastTime<now()-14400

Alert for No events indexed for Sourcetypes

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life