Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert for lack of conent for one host

ddrillic
Ultra Champion
‎04-03-2017 07:31 AM

We have a case in which one index gets its content from 200 hosts and we would like to get an alert when one host hasn't sent content in the past hour or so.

One way might be to run a query like this one for the past month and join it with a similar query for the past hour and determine which hosts are missing -

index=<index_name> | stats count by host | sort count asc

Does it make sense?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-03-2017 07:45 AM

You should either use metadata or tstats which are more specific to scenarios like this and would perform better

metadata command will give you lastTime as one of the field for timestamp of Last Event received. You can use the same to come up with your alert. 

| metadata type=hosts index=<YourIndexName>
| eval lastDataDuration=(now()-lastTime)/60
| where lastDataDuration>1

Similarly for tsats

| tstats count max(_time) as lastTime WHERE index=<YourIndexName> BY host
| eval lastDataDuration=(now()-lastTime)/60
| where lastDataDuration>1
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-03-2017 07:45 AM

You should either use metadata or tstats which are more specific to scenarios like this and would perform better

metadata command will give you lastTime as one of the field for timestamp of Last Event received. You can use the same to come up with your alert. 

| metadata type=hosts index=<YourIndexName>
| eval lastDataDuration=(now()-lastTime)/60
| where lastDataDuration>1

Similarly for tsats

| tstats count max(_time) as lastTime WHERE index=<YourIndexName> BY host
| eval lastDataDuration=(now()-lastTime)/60
| where lastDataDuration>1
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎04-03-2017 08:25 AM

Fascinating to see the results!!!!!

0 Karma
Reply
Get Updates on the Splunk Community!

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...