Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert for specific missing events

marco_massari11
Communicator
‎06-07-2024 07:54 AM

Hello,

I need to monitor some critical devices (stored in a lookup file) connected to the Crowdstrike console, in particular if they will be disconnected from it. We receive one event every 2 hours for each device from Crowdstrike device json input in Splunk, so basically if after 2 hours there is not the new event, the alert should trigger reporting the hostname. Has anyone some idea for implementing this?

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-07-2024 08:03 AM

Hi @marco_massari11 ,

you should run something ike this (if the search is only on index, host, source and sourcetype

| tstats 
     count
     WHERE index=your_index
     BY host
| append [ | inputlookup your_lookup.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

If you have to use a more comples search, you can use

<your_search>
| stats count BY host
| append [ | inputlookup your_lookup.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-07-2024 08:03 AM

Hi @marco_massari11 ,

you should run something ike this (if the search is only on index, host, source and sourcetype

| tstats 
     count
     WHERE index=your_index
     BY host
| append [ | inputlookup your_lookup.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

If you have to use a more comples search, you can use

<your_search>
| stats count BY host
| append [ | inputlookup your_lookup.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...