Splunk Search

Create Search for a Host who dont send Data for x minutes in the last 10 Days

mklhs
Path Finder

Hello,

i wanted to write a search which will return all hosts which have not sent any events for 10 minutes in the last 10 days.
Normally the servers send every minute.

0 Karma
1 Solution

mklhs
Path Finder

Hello Guys,

i got it with that query:

index= sourcetype= | eval age = (now() - _time ) | stats first(age) as age, first(_time) as LastTime by xxx | convert ctime(lastTime) as "Last Active On" | eval Status=case(age < 600, "running",age > 600,"Down"

with the last eval i have determined from when a server counts as not available for me

I hope it Helps someone

Thanks @renjith.nair

View solution in original post

0 Karma

mklhs
Path Finder

Hello Guys,

i got it with that query:

index= sourcetype= | eval age = (now() - _time ) | stats first(age) as age, first(_time) as LastTime by xxx | convert ctime(lastTime) as "Last Active On" | eval Status=case(age < 600, "running",age > 600,"Down"

with the last eval i have determined from when a server counts as not available for me

I hope it Helps someone

Thanks @renjith.nair

0 Karma

renjith_nair
Legend

@mklhs,

Try

    | metadata type=hosts where index=* OR index=_*|eval delay=round((now()-lastTime)/60)|where delay >10| fields host,delay
---
What goes around comes around. If it helps, hit it with Karma 🙂

mklhs
Path Finder

Thank you!
but if I now have a time interval we say from last week Wednesday to yesterday how would I change the query? somehow that doesn't quite want to be me

0 Karma

renjith_nair
Legend

@mklhs,

Try this with time range

tstats count,max(_time) as _time where index=* by host | eval delay=(now()-_time)/60
---
What goes around comes around. If it helps, hit it with Karma 🙂
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...