An alternative to this method that to be very configurable, you can put in 24 hours if not generated any event, send a Notice splunk, but if in 72 hours not generated any email sent event of danger.
Could there perhaps a better alternative?
It actually works very efficient for me because I'm using dbx to monitor database logging. We use a tailing method and therefore the dbx is checking on a schedule and each time dbx checks the database it genenerates a log entry. If we loose the connection to the database then we get an alert, and when the database is connected we are guaranteed that there will be events.
Great, thank you very much lukejadamec !
With regard to this method that you mention it, I do not know if it's very efficient because you have to trust that every day, 24 Hs of the day, the DB will be generating at least one event .... In case you did not, then the alert would begin to annoy, taking away sense to notice.
You can create a search like:
Save the search.
Create an Alert for the search:
Time: -15m@m now
Schedule: Cron 0 */1 * * *
Condition: If number of events is less than 1
Send Email: Enable
Email Address: your email address
This will check once an hour for data from your dbx source. Change the cron schedule to adjust the frequency.