Alerting

How to edit my search to alert if there are no events within an hour?

qiaojing
Path Finder

Hi,

I'm trying to create an alert that fires if there is no event logged within an hour.

This is my search string:

sourcetype="bn22_epsin" | dedup Cpk_Num | where _time<now()-3600 | table Cpk_Num _time

I think my search string is wrong. I would like to know which carpark did not make any logs in the last hour. My alert will be configured to search every 15 minutes.

Any help will be greatly appreciated. Thank you.

0 Karma

woodcock
Esteemed Legend
0 Karma

lcrielaa
Communicator

It's hard to do without an actual sample and what it would look like but perhaps this would help?

sourcetype="bn22_epsin" earliest=-1h latest=now | dedup Cpk_Num | stats count by Cpk_Num | where count=0

0 Karma

qiaojing
Path Finder

@lcrielaa Hi, thanks for your answer, I tried this and no result were returned, I'm suspecting because if there is no log data when count=0 and hence count=0 wont return anything? Any idea?

0 Karma

sundareshr
Legend

Try this

| metadata type=sourcetypes | where sourcetype="bn22_epsin" AND lasttime<now()-3600
0 Karma

qiaojing
Path Finder

@sundareshr could you explain what is the metadata part for? Thank you 🙂

0 Karma

sundareshr
Legend

The metadata command is a generating command and should be the first command in the search. Generating commands use a leading pipe character. It returns a list of source, sourcetypes, or hosts from a specified index.

0 Karma

qiaojing
Path Finder

@sundareshr Oh i see. Can you explain further the difference between using metadata command instead of just searching for sourcetype="" directly?

I tried the above search but no result were returned. Any idea why that's the case?

Thank you so much for your answer 🙂

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...