Re: How to create a script that will help me to kn...

pacifikn · ‎07-21-2022

Greetings!

Kindly Dear Team, Kindly help on how to create a script / Alert in Splunk that will help me to know the devices that are not sending logs?

I usually use query to know the device that are not sending logs but i need that we could get message alert for each device that are not sending logs.

>Manually:

index: xxx earliest=1 | stats latest(_time) as _time count by host.

I would like to get the alert or if there's another way I get alert all the devices that are not sending logs/receiving its logs. kindly help me?

Thank you in advance.

gcusello · ‎07-21-2022

Hi @pacifikn,

if you see in the Monitoring Console, you can find this search.

Anyway, if you want your own, you should create a lookup (called e.g. perimeter.csv) containing the list of hosts to monitor (aftel I'll describe this point) and run a search like this:

| metasearch index=_internal 
| eval host=lower(host)
| stats count BY host
| appemd [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

About the perimeter.csv lookup, you can manually manage it (and I hint this) or automatically rebuild every night scheduling a search.

Ciao.

Giuseppe

How to create a script that will help me to know each devices that are not sending logs?

CLI

Linux

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation