I know this may be backward but do we have the ability to create an alert if data ingest fails so I can know ahead of time
Hi @mockinator44,
as @PickleRick said: what do you mean with "data fails to ingest ahead of time"?
if you mean that a server stops to send data, you could create a lookup (called e.g. perimeter.csv and contaning one column called host) containing all the servers to monitor, then you could run something like this:
| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ | imputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0
Ciao.
Giuseppe
Hi @mockinator44,
as @PickleRick said: what do you mean with "data fails to ingest ahead of time"?
if you mean that a server stops to send data, you could create a lookup (called e.g. perimeter.csv and contaning one column called host) containing all the servers to monitor, then you could run something like this:
| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ | imputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0
Ciao.
Giuseppe
this is very smart. Here is something I'd build for Salesforce add-on using the same logic.
| metasearch index=_internal sourcetype=sfdc*
| stats count BY source
| append [ | inputlookup sfdc_sources.csv | fields source count ]
| stats sum(count) AS total BY source
| where total!=#
```# is base on type of inputs have configured for you enviornment.
Then send an alert ```
Thanks for the help this worked for the customer. Just to clarify and I typed to quickly. He just wanted to know ahead of time when receiving data fails. He did not want to find out later data was not coming in. Thank you for the detail.
Hi @mockinator44 ,
good for you, see next time!
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉
The main question is how do you define "data ingest fails". If you can define it, you'll probably know the answer yourself 😉