Re: Splunk Host Reporting

ssahil · ‎06-17-2021

I am looking for a Query where we can set up monitoring and alert which can tell us how many Host are Reporting and Non Reporting accordingly alert is set up.

Sources are not Reporting from last 24 hours need to set up alert.

Can you Please assist.

gjanders · ‎06-19-2021

From community slack!missinghosts

There are a lot of options for finding hosts or sources that stop submitting events:

Meta Woot! https://splunkbase.splunk.com/app/2949/

TrackMe https://splunkbase.splunk.com/app/4621/

Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/

Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/

Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring

Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...

Some helpful posts:

https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe

https://www.duanewaddle.com/proving-a-negative/

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

ITWhisperer · ‎06-18-2021

If you know all the hosts you are expecting to "report", search the indexes in the last 24 hours and see which ones don't have any results. Do you have a list of hosts in a lookup?

ssahil · ‎06-18-2021

No We don't have list of Lookup file.

Can you help the Query to extract the data

ITWhisperer · ‎06-18-2021

| stats latest(_time) as lastreport by host

Splunk Host Reporting

host

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation