Reporting
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Re: How to monitor log source / index outages?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glasses
Builder
12-08-2020
10:46 AM
I have about a dozen data sources that I want to monitor for an outage... like>>> No Events in Last 60 minutes.
Currently I have been using a separate alerts for each data source / index which run every hour and alert if there are 1 < events.
I am just wondering if there is a better way to do this.... I also have to contend with some sources having longer that 60 minute delay at times...
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glasses
Builder
12-09-2020
07:10 AM
Thank you for the suggestion, but we were not able to create alerts for individual indexes / data sources with |metadata , maybe you know how to do that...?
So we are currently using time interval outage alerts for each specific index AND/OR sourcetype AND/OR source.
For example >>>
| tstats count where index=<foo> sourcetype=<bar> earliest=<-60m>
the result is a count and thus in the alerts we use custom alert trigger "search count=0"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rafamss
Contributor
12-08-2020
11:45 AM
I used these two commands below to perform what you are doing. You can use your personal rule to trigger an alert or just monitor it in a Dashboard for example.
#01 - Monitor the incoming data from hosts
| metadata type=hosts
| convert ctime(lastTime), cTime(recentTime)
#02 - Monitor the incoming data from sourcetypes
| metadata type=sourcetypes
| convert ctime(lastTime), cTime(recentTime)
#03 - Monitor the incoming data from an specific index
| metadata type=sourcetypes index=_internal
| convert ctime(lastTime), cTime(recentTime)And take a look at this post on Splunk' Blog: https://www.splunk.com/en_us/blog/tips-and-tricks/metadata-metalore.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glasses
Builder
12-09-2020
07:10 AM
Thank you for the suggestion, but we were not able to create alerts for individual indexes / data sources with |metadata , maybe you know how to do that...?
So we are currently using time interval outage alerts for each specific index AND/OR sourcetype AND/OR source.
For example >>>
| tstats count where index=<foo> sourcetype=<bar> earliest=<-60m>
the result is a count and thus in the alerts we use custom alert trigger "search count=0"
Get Updates on the Splunk Community!
Developer Spotlight with William Searle
The Splunk Guy: A Developer’s Path from Web to Cloud
William is a Splunk Professional Services Consultant with ...
Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!
Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...
Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
