I am trying to set an alert that notifies the admin of a situation when we dont get any data from syslog (no messages on udp:514) :
Alerts based on the following searches seem to be failing:
index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput series=syslog | eval flag= if(isnull(kb) OR len(kb)<=1,"Y","N") | table flag | search flag="Y"
sourcetype=syslog | timechart count span=1d | search count=0
Neither seems to be working out (there is no data written to that sourcetype which clearly one of the two ought to capture)
Any other/ideas suggestions ? I do not want to use deployment monitor (unless IN deployment monitor, there happens to be a way to configure an alert when it sees a missing sourcetype/no data from sourcetype ) ?
