Getting Data In

Sourcetype not forwarding for 10 minutes

asarolkar
Builder

This is my stab at it:

| metadata type=hosts sourcetype="example" |  convert ctime(recentTime) as Recent_Time | where lastTime LESSTHANSYMBOL (now() - 600)

I am using this query - (now() - 600) translates to look between now and 10 minutes(600 seconds) before of now.

Does look ok ?

0 Karma

Lamar
Splunk Employee
Splunk Employee

This is probably closer to what you'll want:

| metadata type=sourcetypes | eval search_time=(now()-600) | eval status=if(lastTime<search_time, "NOT_OK", "OK") | table sourcetype, status

asarolkar
Builder

Fantastic ! This gives me across all sourcetypes

0 Karma

Lamar
Splunk Employee
Splunk Employee

You could easily translate this to a by 'host' search as well. Just change the word 'sourcetype' to 'host'.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...