Solved: Missing sourcetype from a particular device

surekhasplunk · ‎03-17-2020

I have a list of 10 sourcetypes and a list of 14 ips . If a particular ip stops sending data for any sourcetype in last 6 hours i should be alerted. How to set it.
I tried metadata sourcetype but that gives only missing sourcetypes.
If i use only metadata host i get only missing hosts
but how to get a combination of missing host and sourcetype.

manjunathmeti · ‎03-17-2020

Hi @surekhasplunk,

Use metasearch, replace SOURCETYPEs and HOSTs in below query and check.

| metasearch index=INDEXNAME
| stats count by sourcetype, host 
| append 
    [| makeresults 
    | eval sourcetype=split("SOURCETYPE1,SOURCETYPE2,SOURCETYPE3,...,SOURCETYPE10", ","), host=split("HOST1,HOST2,HOST3,....,HOST14", ",") 
    | mvexpand sourcetype 
    | mvexpand host 
    | fields - _time] 
| fillnull value=0 
| stats sum(count) as count by sourcetype, host 
| where count=0

And set Trigger Condition as Number of result greater than 0 in alert configuration.

View solution in original post

manjunathmeti · ‎03-17-2020

Hi @surekhasplunk,

Use metasearch, replace SOURCETYPEs and HOSTs in below query and check.

| metasearch index=INDEXNAME
| stats count by sourcetype, host 
| append 
    [| makeresults 
    | eval sourcetype=split("SOURCETYPE1,SOURCETYPE2,SOURCETYPE3,...,SOURCETYPE10", ","), host=split("HOST1,HOST2,HOST3,....,HOST14", ",") 
    | mvexpand sourcetype 
    | mvexpand host 
    | fields - _time] 
| fillnull value=0 
| stats sum(count) as count by sourcetype, host 
| where count=0

And set Trigger Condition as Number of result greater than 0 in alert configuration.

Missing sourcetype from a particular device

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI