Need to create alert for the host not sending data for 1 hour using created Index
Index=Cisco
Hi @raja8220 ,
as @adonio said there are hundreds of answers to this question!
so in few words you have to create a lookup (called e.g. perimeter.csv) containing the hosts to check: at least one column (called e.g. host) with the hostname.
then run a search like this:
| metasearch index=cisco
| eval host=lower(host)
| stats count BY host
| append [ inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0
then schedule this search as an alert with the frequency you like.
You can also use this search (cutting the last row) to display a situation of your infrastructure:
Ciao.
Giuseppe
tons of answers in this portal.
here are few that jumps out right away:
https://answers.splunk.com/answers/3181/how-do-i-alert-when-a-host-stops-sending-data.html
https://answers.splunk.com/answers/574340/how-to-alert-if-a-syslog-device-does-not-send-data.html
hope it helps
How about?
| inputlookup MyServerList.csv
| eval totalCount=0
| appendcols override=true
[| metadata type=hosts
| search
[| inputlookup MyServerList.csv
]
]
| where totalCount = 0