Archive

Log sources not reporting in 24 hours

Ghanayem1974
Path Finder

anyone have an idea on how to write up a search that will provide details on which logsource stopped reporting for the last 24 hours?

Tags (1)
0 Karma

woodcock
Esteemed Legend

For hosts, like this (with very large timepicker value):

|metadata type=hosts
| eval age = now() - lastTime
| search age > 86400
0 Karma

pradeepkumarg
Influencer
|metadata type=sources | eval age = now() - lastTime | search age > 86400

Ghanayem1974
Path Finder

thank you but do you know if there is a way to separate out the devices that are not reporting? meaning, if its a windows server i want to the actual server that is not reporting. hope this makes sense.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!