Solved: Alert for specific missing events

marco_massari11 · ‎06-07-2024

Hello,

I need to monitor some critical devices (stored in a lookup file) connected to the Crowdstrike console, in particular if they will be disconnected from it. We receive one event every 2 hours for each device from Crowdstrike device json input in Splunk, so basically if after 2 hours there is not the new event, the alert should trigger reporting the hostname. Has anyone some idea for implementing this?

gcusello · ‎06-07-2024

Hi @marco_massari11 ,

you should run something ike this (if the search is only on index, host, source and sourcetype

| tstats 
     count
     WHERE index=your_index
     BY host
| append [ | inputlookup your_lookup.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

If you have to use a more comples search, you can use

<your_search>
| stats count BY host
| append [ | inputlookup your_lookup.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

View solution in original post

gcusello · ‎06-07-2024

Hi @marco_massari11 ,

you should run something ike this (if the search is only on index, host, source and sourcetype

| tstats 
     count
     WHERE index=your_index
     BY host
| append [ | inputlookup your_lookup.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

If you have to use a more comples search, you can use

<your_search>
| stats count BY host
| append [ | inputlookup your_lookup.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

Alert for specific missing events

eval

fields

lookup

regex

table

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Alert for specific missing events