Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When monitoring events coming into Splunk, how to alert for new devices or devices not sending events?

davidwaugh
Path Finder
‎03-15-2019 01:19 AM

Hello

I would like to be able to detect
- When a device has stopped sending logs to splunk within a timeframe
- When a new device has started sending logs

How I am thinking of doing this is to run a search every hour so that I can populate a lookup csv with entries like the following:

Hostname : DeviceIP: SourceType: Index: Event First Seen: Event Last Seen

Im afraid I've used other SIEM's but am a bit new to Splunk.
I would then query this table of data to alert when a device has not sent data or when a new device is seen.

What would be the best way to achieve this?

Many thanks for your help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-15-2019 02:28 AM

Hi @davidwaugh

Try using the metadata command:

| metadata type=hosts index=_internal 
| eval status=case(lastTime<(now()-(86400*3)), "missing", firstTime>(now()-(86400*3)), "new", 1=1, "normal") 
| where status!="normal"

This will show you devices which have not sent data in the last 3 days, or have recently (within 3 days) started sending data.
Run the search over all time.

Note - my example above uses the internal indexes - if your retention on internal data is not very long, you can use index=* to look at your data indexes.

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution

mlmcadams
Engager
‎09-20-2022 07:32 AM

Excellent solution thanks for sharing it @nickhills 

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎03-15-2019 02:28 AM

Hi @davidwaugh

Try using the metadata command:

| metadata type=hosts index=_internal 
| eval status=case(lastTime<(now()-(86400*3)), "missing", firstTime>(now()-(86400*3)), "new", 1=1, "normal") 
| where status!="normal"

This will show you devices which have not sent data in the last 3 days, or have recently (within 3 days) started sending data.
Run the search over all time.

Note - my example above uses the internal indexes - if your retention on internal data is not very long, you can use index=* to look at your data indexes.

If my comment helps, please give it a thumbs up!
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...