Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert for lack of conent for one host

ddrillic
Ultra Champion
‎04-03-2017 07:31 AM

We have a case in which one index gets its content from 200 hosts and we would like to get an alert when one host hasn't sent content in the past hour or so.

One way might be to run a query like this one for the past month and join it with a similar query for the past hour and determine which hosts are missing -

index=<index_name> | stats count by host | sort count asc

Does it make sense?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-03-2017 07:45 AM

You should either use metadata or tstats which are more specific to scenarios like this and would perform better

metadata command will give you lastTime as one of the field for timestamp of Last Event received. You can use the same to come up with your alert. 

| metadata type=hosts index=<YourIndexName>
| eval lastDataDuration=(now()-lastTime)/60
| where lastDataDuration>1

Similarly for tsats

| tstats count max(_time) as lastTime WHERE index=<YourIndexName> BY host
| eval lastDataDuration=(now()-lastTime)/60
| where lastDataDuration>1
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-03-2017 07:45 AM

You should either use metadata or tstats which are more specific to scenarios like this and would perform better

metadata command will give you lastTime as one of the field for timestamp of Last Event received. You can use the same to come up with your alert. 

| metadata type=hosts index=<YourIndexName>
| eval lastDataDuration=(now()-lastTime)/60
| where lastDataDuration>1

Similarly for tsats

| tstats count max(_time) as lastTime WHERE index=<YourIndexName> BY host
| eval lastDataDuration=(now()-lastTime)/60
| where lastDataDuration>1
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎04-03-2017 08:25 AM

Fascinating to see the results!!!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...