Help needed with Splunk Search



I would like to develop a Splunk alert for one of the source where we are ingesting data using REST API by configuring the scripted input on our Heavy Forwarder, I wanted to set up an email alert when ever there is an interruption in data ingestion from the source.

I am using the below search but not seeing any results.

| tstats latest(_time) as latest where index=XYZ by source
| eval recent = if(latest > relative_time(now(),"-10m"),1,0), realLatest = strftime(latest,"%c")
| where recent=0

Can someone please help me with the search?



Labels (4)
0 Karma



* Do you see any results when you search below result?

| tstats latest(_time) as latest where index=XYZ by source

* Are you running it on Search head and not on heavy forwarder?

* If it's working in normal scenario, then you can append below line and generate error.

| stats count
| appendpipe [| where count=0 | eval msg="No data found"]
| where count=0

* And you can set a schedule alert on this for example for every 1 hour and run it for the last 1 hour time. And this alert will trigger when there will be no event from the given source in last 1 hour.


I hope this helps!!


No @vatsal

Currently we are not getting any data for those indexes, i would like to set up an alert in such a way whenever data is being getting indexed to those indexes and during the ingestion if there are any issues.

I created a lookup with the metadata and tweaked the search a little and was able to set it up.

0 Karma


hi @VatsalJagani , do you have any idea on this?

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...