All Apps and Add-ons

How to create an alert if data fails to ingest ahead of time?

mockinator44
Splunk Employee
Splunk Employee

I know this may be backward but do we have the ability to create an alert if data ingest fails so I can know ahead of time 

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @mockinator44,

as @PickleRick said: what do you mean with "data fails to ingest ahead of time"?

if you mean that a server stops to send data, you could create a lookup (called e.g. perimeter.csv and contaning one column called host) containing all the servers to monitor, then you could run something like this:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ | imputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @mockinator44,

as @PickleRick said: what do you mean with "data fails to ingest ahead of time"?

if you mean that a server stops to send data, you could create a lookup (called e.g. perimeter.csv and contaning one column called host) containing all the servers to monitor, then you could run something like this:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ | imputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

youngsuh
Contributor

this is very smart.  Here is something I'd build for Salesforce add-on using the same logic.

 

| metasearch index=_internal sourcetype=sfdc*
| stats count BY source
| append [ | inputlookup sfdc_sources.csv | fields source count ]
| stats sum(count) AS total BY source
| where total!=#
```# is base on type of inputs have configured for you enviornment.
Then send an alert ```

 

 

0 Karma

mockinator44
Splunk Employee
Splunk Employee

Thanks for the help this worked for the customer. Just to clarify and I typed to quickly. He just wanted to know ahead of time when receiving data fails. He did not want to find out later data was not coming in. Thank you for the detail. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mockinator44 ,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

PickleRick
SplunkTrust
SplunkTrust

The main question is how do you define "data ingest fails". If you can define it, you'll probably know the answer yourself 😉

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...