Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search and set up an alert using the metadata command to find hosts that are not reporting in?

hartfoml
Motivator
‎10-31-2014 08:35 AM

I can do this search | metadata type=hosts | convert timeformat="%m/%d/%Y - %H:%M:%S" ctime(*Time)

This will give me the date fields of first, last and recent Time.

I want to Pipe to an if statement to see if the recent or last time is between yesterday and 14 days ago and report on only those servers.

If a server has not been reporting in 14 days it is most likely off the network for good.

How do I correct the syntax for | eval not_reporting=case(lastTime>yesterday, alert, lastTime<30days_ago, alert)

Any help with syntax would be great.

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-31-2014 09:17 AM

Try this

|metadata type=hosts | table host lastTime | where lastTime<relative_time(now(),"-1d@d") AND lastTime>relative_time(now(),"-30d@d") | convert timeformat="%Y%m%d" ctime(lastTime) AS LastTime

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-31-2014 09:17 AM

Try this

|metadata type=hosts | table host lastTime | where lastTime<relative_time(now(),"-1d@d") AND lastTime>relative_time(now(),"-30d@d") | convert timeformat="%Y%m%d" ctime(lastTime) AS LastTime
Reply
Solved! Jump to solution

revanthammineni
Path Finder
‎07-27-2020 01:47 PM

Hi! I’m using metadata to report the missing logs in splunk. I’m giving a eval condition as 

eval reporting = case(isnull(lastTime), “no”,1=1, “yes”)..

so where ever there is “no”,  I’m counting those hosts and reporting. I want to know if there is any dynamic way of passing time to the query since the above mentioned logic isn’t working for me.

Thanks In advance.

0 Karma
Reply
Solved! Jump to solution

brod_geico
Path Finder
‎12-15-2014 01:11 PM

This is not working for me
|metadata type=hosts | table host lastTime | where lastTimerelative_time(now(),"-30d@d") | convert timeformat="%Y%m%d" ctime(lastTime) AS LastTime

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-22-2016 08:54 PM

You are missing < and > characters and merging 2 existing field names into garbage ones.

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎10-31-2014 09:39 AM

This works great, Thanks much for the help

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎10-31-2014 08:47 AM

I can do this type of search but how do I make the search dates dynamic

| metadata type=hosts | convert timeformat="%Y%m%d" ctime(lastTime) AS LastTime | table host LastTime | where LastTime<20141030 AND LastTime>20140930

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...