Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Notification when indexes stop receiving data

lavster
Path Finder
‎07-19-2023 09:49 AM

Hi, we’ve had a problem recently where data has stopped flowing to an index, and it’s a few days before we find out and then resolve. Does anyone know of a splunk 9.x feature or an add-on that you can use to monitor / alert when data stops for a set amount of time?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

meetmshah
SplunkTrust
SplunkTrust
‎07-19-2023 10:56 AM

TrackMe (https://splunkbase.splunk.com/app/4621) is the application that can help you.

 

Also, you can built custom saved searches which looks over the latest _time of the events and alert if the time difference between current time and latest(_time) is more than threashold. Threashold can be maintained in the lookup and called in the search. For example, create a lookup called acceptable_diff.csv with sample entries as below - 

meetmshah_0-1689789323346.png

 

and run the below search - 

 

| tstats latest(_time) as lastEventTime where index=* by index
| eval current_time=now()
| eval diff=current_time-lastEventTime
| lookup acceptable_diff.csv index as index OUTPUTNEW acceptable_diff as acceptable_diff
| eval diffWithAcceptableDiff=diff-acceptable_diff
| sort 0 - lastEventTime
| eval lastEventTime=strftime(lastEventTime,"%m/%d/%y %H:%M:%S")
| fields index lastEventTime diffWithAcceptableDiff acceptable_diff
| search diffWithAcceptableDiff>0

 

Feel free to accept the answer if it helps!

View solution in original post

Reply
Solved! Jump to solution

sainag_splunk
Splunk Employee
Splunk Employee
‎07-19-2023 12:03 PM

Try something like this from the metrics log.
index=_internal source=*metrics.log* host=idx* series=yourindexname | stats latest(_time) as last_data_time by series | eval duration_seconds = now() - last_data_time | eval duration_human = strftime(duration_seconds, "%d days %H:%M:%S") | where duration_seconds > <your_duration_in_seconds>

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
0 Karma
Reply
Solved! Jump to solution
Solution

meetmshah
SplunkTrust
SplunkTrust
‎07-19-2023 10:56 AM

TrackMe (https://splunkbase.splunk.com/app/4621) is the application that can help you.

 

Also, you can built custom saved searches which looks over the latest _time of the events and alert if the time difference between current time and latest(_time) is more than threashold. Threashold can be maintained in the lookup and called in the search. For example, create a lookup called acceptable_diff.csv with sample entries as below - 

meetmshah_0-1689789323346.png

 

and run the below search - 

 

| tstats latest(_time) as lastEventTime where index=* by index
| eval current_time=now()
| eval diff=current_time-lastEventTime
| lookup acceptable_diff.csv index as index OUTPUTNEW acceptable_diff as acceptable_diff
| eval diffWithAcceptableDiff=diff-acceptable_diff
| sort 0 - lastEventTime
| eval lastEventTime=strftime(lastEventTime,"%m/%d/%y %H:%M:%S")
| fields index lastEventTime diffWithAcceptableDiff acceptable_diff
| search diffWithAcceptableDiff>0

 

Feel free to accept the answer if it helps!

Reply
Solved! Jump to solution

lavster
Path Finder
‎07-19-2023 10:58 PM

amazing thank you for this! i'll give this a go today

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...