Alerting

How to create an email alert when a host stops sending data from a particular sourcetype?

macadminrohit
Contributor

Hi,

I have few sourcetypes which sometimes stops sending the data because of some indexer issues. Each hosts send data to multiple sourcetypes and I want to get an alert when any of the hosts stops sending the data for a particular sourcetype. I saw some old posts related to this but they don't exactly fit to my requirement.

Also in the email alert, I need to see which host is missing data from which sourcetype??

woodcock
Esteemed Legend

You need the Meta Woot! app:

https://splunkbase.splunk.com/app/2949/

mattymo
Splunk Employee
Splunk Employee

meta woot +1

- MattyMo
0 Karma

kiran331
Builder
0 Karma

skoelpin
SplunkTrust
SplunkTrust

You could run a simple negative search to alert on when it stops forwarding

Create a search to identify which sourcetype you want to monitor.. index=test host="172.30.29.188" sourcetype=access_combined

The picture below says, send an email alert when my sourcetype doesn't appear within a 10 minute window

alt text

0 Karma

macadminrohit
Contributor

this is a good solution, but in my case there are multiple hosts and sourcetypes. So if I create individual search queries the list will be huge, instead I would like to use the lookup option.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You can do this in the Monitoring Console (MC).. Go to Settings>Monitoring Console

Click the Forwarders tab and enable it.. Rebuild your assets by clicking the button and time interval

Then go to Settings while in the MC then Alert Settingsand choose DMC Alert Missing ForwardersEnable it, then Advanced Edit, then edit it like I showed you in the image above

This will then monitor all your forwarders for the missing source/sourcetype

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...