sourcetype reporting interval?

nahfam · ‎11-27-2019

Anybody have a query to show sourcetype reporting intervals (how often a ST sends data). I cant download or install any apps, so I need to use spl. Timechart maybe? Anybody have a dashboard for this?

Gracias

woodcock · ‎11-27-2019

This has been solved many times including:

Meta Woot!: https://splunkbase.splunk.com/app/2949/
Broken Hosts App for Splunk: https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts): https://splunkbase.splunk.com/app/3796/
Splunk Security Essentials(https://docs.splunksecurityessentials.com/features/sse_data_availability/): https://splunkbase.splunk.com/app/3435/
Monitoring Console: https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server: https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...

ololdach · ‎11-27-2019

Hi,
I use this to monitor the health of my sourcetypes:
| tstats count where index=* by _time, sourcetype,index span=1h | stats sparkline(sum(count)) as fingerprint, sum(count) as count by sourcetype,index

sourcetype reporting interval?

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability