Solved: Stop sending

aalhabbash1 · ‎05-25-2019

Hi Splunker;

How to detected a index stop receiving logs from any technology last 2 hours, I need for indexes not sourcetype?

Appreciate your support.

Best Regards;

koshyk · ‎05-25-2019

the best way is to see when the last time you got the data into the index and see if that time is > 2 hours

|tstats latest(_time) as latest_event WHERE (index=* OR index=_*) by index
|eval timeDiff=now() - latest_event
| where timeDiff > 7200

it should show any index which has not recieved data in last 7200 secs (i.e 2hrs)

koshyk · ‎05-25-2019

the best way is to see when the last time you got the data into the index and see if that time is > 2 hours

|tstats latest(_time) as latest_event WHERE (index=* OR index=_*) by index
|eval timeDiff=now() - latest_event
| where timeDiff > 7200

it should show any index which has not recieved data in last 7200 secs (i.e 2hrs)

aalhabbash1 · ‎05-26-2019

Mr.Koshyk

Done; many thank you, this is which I want, appreciate that

Best Regards;

Stop sending