Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to alert if a syslog device does not send data in a rolling 24-hour period?

matthew_foos
Path Finder
‎09-13-2017 12:35 PM

Splunkers,

To meet a regulatory requirement, I need to alert on if a syslog device does NOT send data to the Indexers in a 24 hour period.

For example:
If host splunk1 does send data, no alert needs to be generated.
If host splunk2 does NOT send data, and alert must be generated.
This alert needs to have a hostname.

We are leveraging Nexpose to send a synthetic transaction to devices such as Cisco ACS switches.
Search example:
index=network message_text="Login failed for user SynTran01 - sshd" | stats count by host
This search string returns a count of 16 and it will always be 16 for this specific devices type.

Any advice would be greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-13-2017 02:06 PM

Start with this query. Save it as an alert running at the desired interval and triggered when the number of hosts > 0.

| metadata type=hosts index=* | eval diff=now()-recentTime | where diff > 86400 | fieldformat recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | table host recentTime
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-13-2017 03:18 PM

HI matthew.foos,
you should create a lookup with all the hosts you have to monitor in your perimeter (e.g. a lookup called perimeter.csv with one field called host), and the schedule an alert like this

| metasearch index=* 
| eval host=upper(host)
| stats count by host
| append [ | inputlookup perimeter.csv | eval count=0, host=upper(host) | fields host count ]
| stats sum(count) AS Total by host
| where Total=0

You should check what is the minimum time period for monitoring because 24 hours probably is a too large period.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-13-2017 02:06 PM

Start with this query. Save it as an alert running at the desired interval and triggered when the number of hosts > 0.

| metadata type=hosts index=* | eval diff=now()-recentTime | where diff > 86400 | fieldformat recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | table host recentTime
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

sureshkumaar
Path Finder
‎10-01-2019 04:34 AM

Hi Richgalloway,

      Can i know what does this "where diff > 86400" trying to say in the query?
0 Karma
Reply
Solved! Jump to solution

decoherence
Explorer
‎10-22-2019 06:40 AM

The 'diff' variable (now()-recentTime) is greater than 86400 seconds (24 hours, as requested in the question.)

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...