Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Identifying "idle" sources
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I get a list of sources that haven't received any events for a given period of time (e.g. for last 24 hours). Purpose: alert Splunk admin if there are "idle" sources
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To find sources that have checked in within the last week, but not within the last 24 hours:
| metadata sources
| eval age=now()-recentTime
| where age>86400 and age<604800
| convert ctime(recentTime) as LastEvent
Tune the cutoff values (in seconds) in line 3 as needed.
Replace sources with hosts or sourcetypes if you want to report on those.
To evaluate for a specific source/sourcetype from a specific host, you would have to query the timestamps of raw events instead of using metadata (which can be much slower).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To find sources that have checked in within the last week, but not within the last 24 hours:
| metadata sources
| eval age=now()-recentTime
| where age>86400 and age<604800
| convert ctime(recentTime) as LastEvent
Tune the cutoff values (in seconds) in line 3 as needed.
Replace sources with hosts or sourcetypes if you want to report on those.
To evaluate for a specific source/sourcetype from a specific host, you would have to query the timestamps of raw events instead of using metadata (which can be much slower).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the following search to identify the last reported time of hosts:
| metadata type=hosts index=blah | sort recentTime desc | convert ctime(recentTime) as Recent_Time
And you can modify it to work on sources by changing hosts to sources:
| metadata type=sources index=blah | sort recentTime desc | convert ctime(recentTime) as Recent_Time
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
