Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert if no log messages

rmacurak
Explorer
‎10-01-2010 02:20 PM

I'm indexing logfiles from a custom web application that receives nonstop traffic, resulting in virtually nonstop log messages. Occasionally (unfortunately) the application will hang, resulting in a gap in the logging. I'd like to be alerted if this condition occurs. Any ideas on how to search/alert in realtime for "gaps" in the log file, or an absence of data?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎10-01-2010 02:58 PM

If you just want the immediate alert (no historical reporting), you could do something like:

| metadata type=sources | search source=yoursource | eval age=now()-lastTime | search age>60

If it returns any results, your source has not reported in a longer-than-expected amount of time (60 seconds in this case).

Note: It's not clear to me whether it's preferable to use lastTime or RecentTime in the eval statement. Maybe someone else can explain the difference.

View solution in original post

Reply
Solved! Jump to solution

bshields1
New Member
‎01-30-2013 08:00 AM

So how does the search change to test for a count of at least 1 record? I'm new to Splunk and not sure what to add to the search noted above.

0 Karma
Reply
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎10-01-2010 02:58 PM

If you just want the immediate alert (no historical reporting), you could do something like:

| metadata type=sources | search source=yoursource | eval age=now()-lastTime | search age>60

If it returns any results, your source has not reported in a longer-than-expected amount of time (60 seconds in this case).

Note: It's not clear to me whether it's preferable to use lastTime or RecentTime in the eval statement. Maybe someone else can explain the difference.

Reply
Solved! Jump to solution

rmacurak
Explorer
‎10-04-2010 05:17 PM

Perhaps not. Ideally I'd be able to identify 5-10 second gaps in the logs, which indicates the "hanging" condition. I'll investigate your hypothesis, thanks.

0 Karma
Reply
Solved! Jump to solution

southeringtonp
Motivator
‎10-04-2010 05:07 PM

My guess (and only a guess) is that events are streaming, but the metadata only gets updated every 30 seconds. Is that really a problem though? How often do you want to run the saved search?

0 Karma
Reply
Solved! Jump to solution

rmacurak
Explorer
‎10-04-2010 03:59 PM

Unfortunately I was too quick to mark this as solved. It seems that the "age" always grows to 30s and resets to 0s, indicating that the remote Splunk servers that feed this index are only sending data every 30 seconds, even though the logs are constantly written -- does that sound plausible? If so, how do I instruct the Splunk forwarders to stream data in realtime rather than batching every 30 seconds?

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎10-01-2010 08:27 PM

lastTime is the time value of the last event received's timestamp.

recentTime is the last time (on the index server) that an event was received.

0 Karma
Reply
Solved! Jump to solution

rmacurak
Explorer
‎10-01-2010 05:40 PM

Elegant. Thank you very much.

0 Karma
Reply
Solved! Jump to solution

christopherutz
Path Finder
‎10-01-2010 02:23 PM

Our solution for this was to run a saved search every n minutes that searches back n minutes for everything. If the results count is less than 1 we send an email. Although not real time, we use n = 5 which fits our needs.

0 Karma
Reply
Solved! Jump to solution

rmacurak
Explorer
‎10-01-2010 05:47 PM

This was my initial idea as well, but I figured there was a better way. This is a good way to look back at historical data, though, which also comes in handy

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...