- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Index Not Reporting in Splunk Query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Index Not Reporting in Splunk Query
Hi Team,
I would like to create a saved search in such a way that if any of the index is not reporting in Splunk for more than an hour then it should trigger an email with the index name information in it along with the last event came from that index.
Is there any query available so that i can schedule the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This has been solved many times including:
Meta Woot!: https://splunkbase.splunk.com/app/2949/
TrackMe: https://splunkbase.splunk.com/app/4621/,
Broken Hosts App for Splunk: https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts): https://splunkbase.splunk.com/app/3796/
Splunk Security Essentials(https://docs.splunksecurityessentials.com/features/sse_data_availability/): https://splunkbase.splunk.com/app/3435/
Monitoring Console: https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server: https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this.
| tstats latest(_time) as last_time, latest(_raw) as last_event by index earliest=-2h
| where (now()-last_time) > 3600
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi arjunpkishore5,
Getting an error when i ran the query.
Error in 'tstats' command: Invalid argument: 'earliest=-2h'
The search job has failed due to an error. You may be able view the job in the Job Inspector.
Kindly check and let me know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| metadata type=sourcetypes
| where recentTime <= relative_time(now(),"-1h")
Hi, @anandhalagarasan16021988
This query is aim to check sources has not been updated more than an hour.
you can change types(sources, hosts)
or
| tstats summariesonly=t count where index=index1 OR index=index2 by index _time span=1h
| timechart cont=f count by index
| where _time <= relative_time(now(),"-1h")
This query also checks for an index that has not been updated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kindly help on the request.
Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!
Introducing Edge Processor: Next Gen Data Transformation
Take the 2021 Splunk Career Survey for $50 in Amazon Cash
