Log sources not reporting

sahildb · ‎02-07-2021

Currently our index= windows host not reporting from last couple of days.

Need query to set up alert if log sources are not reporting to splunk.

scelikok · ‎02-08-2021

You can use below query to find hosts that is not reporting for 60 minutes by host, index and sourcetype.

| tstats max(_time) as _time where index=* by index host sourcetype | where _time < relative_time(now(),"-60m")

You can adapt 60 minutes timeout and indexes to your need.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok · ‎02-07-2021

You can use Broken Hosts app to monitor your data ingestion problems,

If this reply helps you an upvote and "Accept as Solution" is appreciated.

sahildb · ‎02-07-2021

Is there any query we can use to detect ?

sahildb · ‎02-07-2021

Thanks for the solution i think will recommend the same to team.

sahildb · ‎02-07-2021

Need to verify and set up alert which index generate data and or not and how we can monitor

Are you a member of the Splunk Community?