How to write a search to alert when a source stops...

bluemarvel · ‎08-07-2016

Hello,

Need a suggestion to set up an alert for when a source stops sending Windows event data. Here is what I have so far, but is this sufficient?

index=windows host=#1 OR host=#2 OR host=#3  | stats count by host | where count<1

skoelpin · ‎08-07-2016

I had to set up a negative alert the other day just like this.. It's very simple to do

Put in your search which will return results

index=windows host=#1 OR host=#2 OR host=#3

Then save as alert then go to where it says Trigger alert when then change to Number of sources and is less than then select your time frame.. In the image I selected 5 minutes.. So this will say, send an alert anytime there is less than 1 new source in a 5 minute window, and the search will run every 5 minutes.. So if your not getting atleast 1 new source every 5 minutes then the alert will fire

inventsekar · ‎08-07-2016

for this task, i hope using metadata would be efficient.

This one will find the hosts that have not sent any events for more than one day.

 | metadata type=hosts index=windows host=one (or .....)| where relative_time(now(), "-1d") > lastTime | convert ctime(lastTime) as Latest_Time | sort -lastTime | table host,Latest_Time

A general query

| metadata type=hosts | sort recentTime desc | convert ctime(recentTime) as Recent_Time

How to write a search to alert when a source stops sending Windows event log data?

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash