Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search and set up an alert using the metadata command to find hosts that are not reporting in?

hartfoml
Motivator
‎10-31-2014 08:35 AM

I can do this search | metadata type=hosts | convert timeformat="%m/%d/%Y - %H:%M:%S" ctime(*Time)

This will give me the date fields of first, last and recent Time.

I want to Pipe to an if statement to see if the recent or last time is between yesterday and 14 days ago and report on only those servers.

If a server has not been reporting in 14 days it is most likely off the network for good.

How do I correct the syntax for | eval not_reporting=case(lastTime>yesterday, alert, lastTime<30days_ago, alert)

Any help with syntax would be great.

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-31-2014 09:17 AM

Try this

|metadata type=hosts | table host lastTime | where lastTime<relative_time(now(),"-1d@d") AND lastTime>relative_time(now(),"-30d@d") | convert timeformat="%Y%m%d" ctime(lastTime) AS LastTime

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-31-2014 09:17 AM

Try this

|metadata type=hosts | table host lastTime | where lastTime<relative_time(now(),"-1d@d") AND lastTime>relative_time(now(),"-30d@d") | convert timeformat="%Y%m%d" ctime(lastTime) AS LastTime
Reply
Solved! Jump to solution

revanthammineni
Path Finder
‎07-27-2020 01:47 PM

Hi! I’m using metadata to report the missing logs in splunk. I’m giving a eval condition as 

eval reporting = case(isnull(lastTime), “no”,1=1, “yes”)..

so where ever there is “no”,  I’m counting those hosts and reporting. I want to know if there is any dynamic way of passing time to the query since the above mentioned logic isn’t working for me.

Thanks In advance.

0 Karma
Reply
Solved! Jump to solution

brod_geico
Path Finder
‎12-15-2014 01:11 PM

This is not working for me
|metadata type=hosts | table host lastTime | where lastTimerelative_time(now(),"-30d@d") | convert timeformat="%Y%m%d" ctime(lastTime) AS LastTime

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-22-2016 08:54 PM

You are missing < and > characters and merging 2 existing field names into garbage ones.

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎10-31-2014 09:39 AM

This works great, Thanks much for the help

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎10-31-2014 08:47 AM

I can do this type of search but how do I make the search dates dynamic

| metadata type=hosts | convert timeformat="%Y%m%d" ctime(lastTime) AS LastTime | table host LastTime | where LastTime<20141030 AND LastTime>20140930

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...