Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create an Alert or dashboard for identifying if a server log hasn’t reported in 24 hrs?

Gggflyer
New Member
‎08-11-2023 06:59 AM

I created a search to list servers and the last time a windows log reported. 

command i am using is  Tstats latest(_time) as lastseen where (index=windows) by host | convert ctime(lastseen)

 

I am trying to compare that  “last seen” to current time and if more than 24 hrs then I would like to alert.

Any thoughts on how to identify and alert on that. Ultimately would love adding this to a dashboard.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

jotne
Builder
‎08-12-2023 10:12 AM

If you have many server/indexes/sourcetype to monitor, you can have a look at the app TrackMe
https://splunkbase.splunk.com/app/4621

Reply

gcusello
SplunkTrust
SplunkTrust
‎08-12-2023 01:33 AM

Hi @Gggflyer,

if you need to find hosts that didn't logged in the last 24 hours you can use the search from @richgalloway .

If you also need to find servers that didn't logged for a longer time or never logged, you should use a different similar approach:

you have to create a lookup containing the servers to monitor (called e.g. perimeter.csv) containing at lest one field (host) and the n running a search like the following:

| tstats count latest(_time) as lastseen WHERE (index=* earliest=-24h latest=now) BY host 
| eval host=lower(host)
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total values(lastseen) AS lastseen BY host
| where total=0
| convert ctime(lastseen)

Ciao.

Giuseppe

Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-11-2023 07:42 AM

Compare lastseen to the current time (value produced by the now() function) before converting the format.

| tstats latest(_time) as lastseen where (index=windows) by host 
| where lastseen <= relative_time(now(), "-24h")
| convert ctime(lastseen)


 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...