Re: Help needed with Splunk Search

Roy_9 · ‎12-20-2022

Hello,

I would like to develop a Splunk alert for one of the source where we are ingesting data using REST API by configuring the scripted input on our Heavy Forwarder, I wanted to set up an email alert when ever there is an interruption in data ingestion from the source.

I am using the below search but not seeing any results.

| tstats latest(_time) as latest where index=XYZ by source
| eval recent = if(latest > relative_time(now(),"-10m"),1,0), realLatest = strftime(latest,"%c")
| where recent=0

Can someone please help me with the search?

Thanks

VatsalJagani · ‎12-21-2022

@Roy_9

* Do you see any results when you search below result?

| tstats latest(_time) as latest where index=XYZ by source

* Are you running it on Search head and not on heavy forwarder?

* If it's working in normal scenario, then you can append below line and generate error.

| stats count
| appendpipe [| where count=0 | eval msg="No data found"]
| where count=0

* And you can set a schedule alert on this for example for every 1 hour and run it for the last 1 hour time. And this alert will trigger when there will be no event from the given source in last 1 hour.

I hope this helps!!

Roy_9 · ‎12-29-2022

No @Anonymous

Currently we are not getting any data for those indexes, i would like to set up an alert in such a way whenever data is being getting indexed to those indexes and during the ingestion if there are any issues.

I created a lookup with the metadata and tweaked the search a little and was able to set it up.

Roy_9 · ‎12-20-2022

hi @VatsalJagani , do you have any idea on this?

Help needed with Splunk Search

alert action

alert condition

email

Python

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025

Splunk Mobile: Your Brand-New Home Screen

Are you a member of the Splunk Community?