Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to write a search to alert when a source stops sending Windows event log data?

bluemarvel
Path Finder
‎08-07-2016 01:03 AM

Hello,

Need a suggestion to set up an alert for when a source stops sending Windows event data. Here is what I have so far, but is this sufficient?

index=windows host=#1 OR host=#2 OR host=#3  | stats count by host | where count<1
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-07-2016 07:17 AM

I had to set up a negative alert the other day just like this.. It's very simple to do

Put in your search which will return results

index=windows host=#1 OR host=#2 OR host=#3

Then save as alert then go to where it says Trigger alert when then change to Number of sources and is less than then select your time frame.. In the image I selected 5 minutes.. So this will say, send an alert anytime there is less than 1 new source in a 5 minute window, and the search will run every 5 minutes.. So if your not getting atleast 1 new source every 5 minutes then the alert will fire

alt text

Preview file
43 KB
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-07-2016 01:26 AM

for this task, i hope using metadata would be efficient.

This one will find the hosts that have not sent any events for more than one day.

 | metadata type=hosts index=windows host=one (or .....)| where relative_time(now(), "-1d") > lastTime | convert ctime(lastTime) as Latest_Time | sort -lastTime | table host,Latest_Time

A general query

| metadata type=hosts | sort recentTime desc | convert ctime(recentTime) as Recent_Time
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...