Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to alert if a syslog device does not send data in a rolling 24-hour period?

matthew_foos
Path Finder
‎09-13-2017 12:35 PM

Splunkers,

To meet a regulatory requirement, I need to alert on if a syslog device does NOT send data to the Indexers in a 24 hour period.

For example:
If host splunk1 does send data, no alert needs to be generated.
If host splunk2 does NOT send data, and alert must be generated.
This alert needs to have a hostname.

We are leveraging Nexpose to send a synthetic transaction to devices such as Cisco ACS switches.
Search example:
index=network message_text="Login failed for user SynTran01 - sshd" | stats count by host
This search string returns a count of 16 and it will always be 16 for this specific devices type.

Any advice would be greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-13-2017 02:06 PM

Start with this query. Save it as an alert running at the desired interval and triggered when the number of hosts > 0.

| metadata type=hosts index=* | eval diff=now()-recentTime | where diff > 86400 | fieldformat recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | table host recentTime
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-13-2017 03:18 PM

HI matthew.foos,
you should create a lookup with all the hosts you have to monitor in your perimeter (e.g. a lookup called perimeter.csv with one field called host), and the schedule an alert like this

| metasearch index=* 
| eval host=upper(host)
| stats count by host
| append [ | inputlookup perimeter.csv | eval count=0, host=upper(host) | fields host count ]
| stats sum(count) AS Total by host
| where Total=0

You should check what is the minimum time period for monitoring because 24 hours probably is a too large period.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-13-2017 02:06 PM

Start with this query. Save it as an alert running at the desired interval and triggered when the number of hosts > 0.

| metadata type=hosts index=* | eval diff=now()-recentTime | where diff > 86400 | fieldformat recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | table host recentTime
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

sureshkumaar
Path Finder
‎10-01-2019 04:34 AM

Hi Richgalloway,

      Can i know what does this "where diff > 86400" trying to say in the query?
0 Karma
Reply
Solved! Jump to solution

decoherence
Explorer
‎10-22-2019 06:40 AM

The 'diff' variable (now()-recentTime) is greater than 86400 seconds (24 hours, as requested in the question.)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...