Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to alert when the last event in an index is older than 1 hour, and if any forwarder has not phoned home in the last hour?

guimilare
Communicator
‎11-17-2016 11:37 AM

Hello Splunkers.

I'm working on 2 scenarios, and I'm sure you guys can help me.

Scenario 1:
We have about 15 indexes.
Sometimes, the applications that generate data to Splunk gets stuck and no data is indexed.
What I need is to alert the user every time the last event indexed in an index is older than 1 hour.
Using metadata I'm able to deal with only 1 index at a time.

Scenario 2:
We have now about 50 forwarders sending data to Splunk.
What is the best way to alert the user if any forwarder did not phoned home in the last hour?

Thanks in advance.
Regards.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-18-2016 03:39 AM

Hi guimilare,
this method is applicable both your scenarios.
You have to create a lookup with all the indexes/forwarders to monitor (e.g.: indexes.csv or perimeter.csv) and then run a search like these using as time period one hour:

| inputlookup indexes.csv | eval count=0 | append [ index=* | stats count by index ] | stats sum(count) AS total by index | where total=0

(instead to use index=* you could create a tag or an eventtype with all your index to monitor)

| inputlookup perimeter.csv | eval count=0, host=lower(host) | append [ index=_internal | eval host=lower(host)| stats count by index ] | stats sum(count) AS total by index | where total=0

In this way you have indexes and forwarders that doesn't send logs in the selected period.

If you like, instead to have condition |where total=0 you could use rangemap command and have a visualization of the indexes or forwarders status (also graphically).

Bye.
Giuseppe

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎11-17-2016 11:44 AM

What version are you running?

If >= 6.4 then you could use the DMC to do this

Or you could set up an alert with this search 

index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort - count
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...