Alert when specific sourcetype and event stops ind...

dbuchanan46 · ‎01-22-2014

I am trying to create a search/alert that checks to see if a specific sourcetype and event stops indexing data after 1 minute. I have a search that uses metadata and returns the last index time after a minute(or any time) but I am having trouble using the metadata to narrow the search to only specific sourcetype and event. Here is the general Metadata search I am using.

| metadata type=sourcetypes |where recentTime < now() - 60 | eval LastIndex = strftime(recentTime, "%F %T") | fields + sourcetype LastIndex

Any ideas on how to narrow this down to one sourcetype and event?

Thank you

lguinn2 · ‎01-22-2014

@somesoni2 has a good idea, although I would do it even more simply: (1) create a lookup table that contains a list of the sourcetypes that need to be checked. (2) run the following search

| inputlookup sourcetype.csv  
| eval recentTime = 0
| join type=left sourcetype [ metadata type=sourcetypes ]
| where recentTime < now() - 60

This would give you a list of all the sourcetypes in sourcetype.csv that have not seen new data in the last minute. If you wanted to check only one sourcetype, it gets even easier

| metadata type=sourcetypes
| where sourcetype = thesourcetypetocheck and recentTime < now() - 60

This search returns nothing if the sourcetype has received data, and a single event if it has not received data.

In both cases, you might want to set an alert condition of "number of results > 0".

Now, regarding event:message.in - this changes things. If the rule is "all of the sourcetypes in my list must have at least one event with event:message.in during the last minute" then the test needs to look like this (and the alert condition is still "number of results > 0"):

| inputlookup sourcetype.csv  
| join type=left sourcetype [ search earliest=-1m event:message.in=* [ | inputlookup sourcetype.csv  ]   
     | stats count by sourcetype] 
| where count = 0

If the rule is "a particular sourcetype must have at list must have at least one event with event:message.in during the last minute" then this will do it

earliest=-1m event:message.in=* sourcetype=mysourcetype

For this last search, your alert condition should be "number of results = 0".

somesoni2 · ‎01-22-2014

Is the sourcetype and field name (event:message.in) fixed? (multiple source types are fine). If yes, then my suggestion would be put them in a lookup table file, and use search like this:
|inputlookup sourcetypeEvent.csv | join type=left sourcetype [search sourcetype=* event:message.in=* earliest=-1m@m latest=now | fields sourcetype, event:message.in] | WHERE isnull(event:message.in)

linu1988 · ‎01-22-2014

The condition is wrong

sourcetype[| metadata type=sourcetypes |where recentTime > now() - 60 | eval LastIndex = strftime(recentTime, "%F %T") | fields + sourcetype]|where sourcetype=your_sourcetype AND field_name like "%event:message.in%" |eval a=1| stats count|where count =0

you can replace the your_sourcetype and field_name.

Thanks

dbuchanan46 · ‎01-22-2014

Sorry, actually it is by sourcetype and a field. The field was specified event:message.in.

So I'm trying to create an alert when my sourcetype with field event:message.in has not had any new data in the last minute.

somesoni2 · ‎01-22-2014

What do you mean by event here?

Alert when specific sourcetype and event stops indexing

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...