Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to set up an alert when an server goes down or not reporting logs to Splunk?

phanichintha
Path Finder
‎05-20-2019 02:38 AM

Some days back one of the servers went down but we don't know at that time, we get to know after some days, we don't have logs to check how it happens, so for this what is the query or solution or alerts for this case.

Tags (1)
0 Karma
Reply

koshyk
Super Champion
‎05-20-2019 05:26 AM

Does the server send a heartbeat message? If you are looking for specific hosts then;

If yes, something of this logic. And put it as a savedsearch and run it every x minutes for alerting to your mail or Alerting System

index=someindex sourcetype=someheartBeat | stats count | eval AlertFlag=if(count > 0, "No","Yes")

Or you can based the logic on internal index every 30mins or so.

index=_internal sourcetype=splunkd source=*metrics.log host=someimportantHost| stats count | eval AlertFlag=if(count > 0, "No","Yes")

..

Reply

renjith_nair
Legend
‎05-20-2019 05:21 AM

@phanichintha

Try 

|metadata type=hosts index=_* index=*
|where now()-lastTime > 10

Finds the difference between now and last time the host reported an event to any index and alerts if the difference is greater than 10 seconds. You can adjust the threshold according to your requirement (in secs)

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...