Hi All
Newbie splunk user here. I am wondering what the best search would be to alert on when trying to establish when an instance is not sending any perfmon data for a period of time say 10 mins and display the severity of the item within a table.
so far I have - index=client* sourcetype="Perfmon*" source=Perfmon:*
I may also just include the string to ignoreOlderThan 2 days so I can always be sure the data being queried on is fresh.
Thanks
Mark
You could run this every N minutes over a timerange of -2Nm to now:
your base search | stats max(_time) as latest by host | where latest < relative_time(now(), "-Nm")
Trigger the alert whenever there is a result. Note, I'm assuming the expected indexing delay to be much smaller than N minutes.
I'm not sure where you're getting a severity from.