Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Email alert when a data source don't sends events to splunk

andreaf83
Engager
‎12-14-2010 04:08 PM

Is possible in splunk to configure no data alert? I want to receive an email alert when, for any reason, a data source don't sends events to my splunk server for a specified time.

Tags (1)
Reply

dwaddle
SplunkTrust
SplunkTrust
‎12-14-2010 04:44 PM

Yes, provided you can write a search that is specific enough to your data source. See:

http://answers.splunk.com/questions/8764/monitoring-file/8765#8765

0 Karma
Reply

ftk
Motivator
‎12-14-2010 04:43 PM

The following search looks at all hosts in a given index and returns the ones that have not sent any data in the past 10 minutes (1200 seconds):

| metadata type=hosts index=blah |  convert ctime(recentTime) as Recent_Time | where lastTime < (now() - 1200)

You could customize the 1200 to the interval of your choice, then schedule this search and set an alert condition, for example Number of results > 1 (which would fire when there are any hosts that haven't checked in in 1200 seconds).

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...