Solved: Alert for specific missing events

marco_massari11 · ‎06-07-2024

Hello,

I need to monitor some critical devices (stored in a lookup file) connected to the Crowdstrike console, in particular if they will be disconnected from it. We receive one event every 2 hours for each device from Crowdstrike device json input in Splunk, so basically if after 2 hours there is not the new event, the alert should trigger reporting the hostname. Has anyone some idea for implementing this?

gcusello · ‎06-07-2024

Hi @marco_massari11 ,

you should run something ike this (if the search is only on index, host, source and sourcetype

| tstats 
     count
     WHERE index=your_index
     BY host
| append [ | inputlookup your_lookup.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

If you have to use a more comples search, you can use

<your_search>
| stats count BY host
| append [ | inputlookup your_lookup.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

View solution in original post

gcusello · ‎06-07-2024

Hi @marco_massari11 ,

you should run something ike this (if the search is only on index, host, source and sourcetype

| tstats 
     count
     WHERE index=your_index
     BY host
| append [ | inputlookup your_lookup.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

If you have to use a more comples search, you can use

<your_search>
| stats count BY host
| append [ | inputlookup your_lookup.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

Alert for specific missing events

eval

fields

lookup

regex

table

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025

Are you a member of the Splunk Community?

Alert for specific missing events