Solved: Alert for syslog

asarolkar · ‎07-25-2012

I am trying to set an alert that notifies the admin of a situation when we dont get any data from syslog (no messages on udp:514) :

Alerts based on the following searches seem to be failing:

index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput series=syslog | eval flag= if(isnull(kb) OR len(kb)<=1,"Y","N") | table flag | search flag="Y"

sourcetype=syslog | timechart count span=1d | search count=0

Neither seems to be working out (there is no data written to that sourcetype which clearly one of the two ought to capture)

Any other/ideas suggestions ? I do not want to use deployment monitor (unless IN deployment monitor, there happens to be a way to configure an alert when it sees a missing sourcetype/no data from sourcetype ) ?

hjwang · ‎07-25-2012

I think you can use a simple way to do this by searching source=udp:514

then set alert condition when number of events equals zero

View solution in original post

hjwang · ‎07-25-2012

I think you can use a simple way to do this by searching source=udp:514

then set alert condition when number of events equals zero

Alert for syslog

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation