Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help needed with Splunk Search

Roy_9
Motivator
‎12-20-2022 11:12 AM

Hello,

I would like to develop a Splunk alert for one of the source where we are ingesting data using REST API by configuring the scripted input on our Heavy Forwarder, I wanted to set up an email alert when ever there is an interruption in data ingestion from the source.

I am using the below search but not seeing any results.

| tstats latest(_time) as latest where index=XYZ by source
| eval recent = if(latest > relative_time(now(),"-10m"),1,0), realLatest = strftime(latest,"%c")
| where recent=0



Can someone please help me with the search?

 

Thanks

Labels (4)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎12-21-2022 01:58 AM

@Roy_9 

* Do you see any results when you search below result?

| tstats latest(_time) as latest where index=XYZ by source


* Are you running it on Search head and not on heavy forwarder?

* If it's working in normal scenario, then you can append below line and generate error.

| stats count
| appendpipe [| where count=0 | eval msg="No data found"]
| where count=0

* And you can set a schedule alert on this for example for every 1 hour and run it for the last 1 hour time. And this alert will trigger when there will be no event from the given source in last 1 hour.

 

I hope this helps!!

Reply

Roy_9
Motivator
‎12-29-2022 02:23 PM

No @Anonymous

Currently we are not getting any data for those indexes, i would like to set up an alert in such a way whenever data is being getting indexed to those indexes and during the ingestion if there are any issues.

I created a lookup with the metadata and tweaked the search a little and was able to set it up.

0 Karma
Reply

Roy_9
Motivator
‎12-20-2022 04:00 PM

hi @VatsalJagani , do you have any idea on this?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...