Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Logging frequency of my index,sourcetype and host

thippeshaj
Explorer
‎04-06-2020 08:11 AM

Hi Splunkers,

How do I calculate the logging frequency of my index=xxx sourcetype=yyy host=zzz?

Explanation: I have a different set of logs which sends logs with different frequency, some of them send every minute/hour and some of them send the logs once a day. so basically logging frequency is not fixed, it's dynamic.

I'm trying to find out a way to alert if a particular index=xxx sourcetype=yyy host=zzz stops sending logs, I want a dynamic way of calculating the frequency threshold wherein I can say (now()-last_event_time) > threshold, I don't want to use something like which is basically find the difference between the last event time VS the current and some random threshold.

I want Splunk to tell the ideal threshold for my index,sourcetype and host combination.
For example; A particular logs from index=a host=b sourceype=c logs once in a day, so here I want Splunk to tell an ideal threshold I can use ( maybe ~ 1day or ~ 24 hours) as the threshold to set an alert.
another example, a particular logs from index=g sourcetype=h host=i logs every 4.5/5 hours, so here I want Splunk to tell an ideal threshold I can use ( maybe ~ 4H or ~ 4.5h or 5h or xh) as the threshold to set an alert.

so using this I can set an alert like (now()-last_event_time) > threshold

Thanks in advance.

Happy Splunking.

Labels (1)
Labels
0 Karma
Reply

amehlmann
Engager
‎08-23-2024 01:27 AM

Hi,

 

you can calculate the average timespan between events using

| tstats count as event_count, latest(_time) as latest_time, earliest(_time) as earliest_time by host,index
| eval total_time_spans = latest_time - earliest_time
| eval average_time_span = total_time_spans / (event_count - 1)
| stats avg(average_time_span) as avg_time_span by host,index

 

But beware since this makes only sense if you have regular reporting hosts/indexes. this will not work if one host e.g. sends 1k events once a day.

0 Karma
Reply

MKozanic
Path Finder
‎11-11-2021 03:48 PM

Hi @thippeshaj ,

Just wondering if you worked out a solution for this?

I'm currently looking for something similar to be able to configure alerts based on previous indexing frequency

0 Karma
Reply

dmuralidaran_sp
Splunk Employee
Splunk Employee
‎04-07-2020 07:22 AM

How about configuring an alert to see if you get new data every interval according to the configuration for each host machine?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...