Solved: Splunk Alert if host on lookup stops sending data

scout29 · ‎10-25-2023

Looking to create an alert if a host on a lookup stops sending data to Splunk index=abc. I have created a lookup called hosts.csv with all the hosts expected to be logging for a data source. Now i need to create a search/alert that notifies me if a host on this lookup stops sending data to index=abc

I was trying something like this search below, but now having much luck:

| tstats count where index=abc host NOT [| inputlookup hosts.csv] by host

The lookup called hosts.csv is formatted with the column name being host, for example like:

host

hostname101

hostname102

hostname103

hostname104

gcusello · ‎10-25-2023

Hi @scout29 ,

please try something like this:

| tstats count where index=abc BY host 
| append [ | inputlookup hosts.csv | eval count=0 | fields host count]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

View solution in original post

gcusello · ‎10-25-2023

Hi @scout29 ,

please try something like this:

| tstats count where index=abc BY host 
| append [ | inputlookup hosts.csv | eval count=0 | fields host count]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

gcusello · ‎10-25-2023

Hi @scout29

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Splunk Alert if host on lookup stops sending data

alert action

alert condition

other

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)