Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to find the name of each server that has not reported in the last 4 hours?

tenyang
New Member
‎06-03-2015 06:38 PM

Hi all,

I am a new one to splunk. Now i am facing some problem to get the data as I want.
I have more than 250 servers forwarding data to splunk, and the events are updated every hour as a group. For example, each server will sent the total number of interaction for the last hour. now I want to find every server name which has not sent data for the last 4 hours.
When I search the event, if there is no data sending, then the server name will not display after search, so I can't get them. My question is how can I get all server names and then find out those who are no longer sending. Please kindly help me on this.
My base search: 

 interaction_count="*" LIVE| eval date = strftime(_time, "%Y-%m-%d")| stats sum(interaction_count) as sum_interaction_count by mount_name, date

Thanks in advance~~~

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-04-2015 06:32 AM

Run something like this every hour for the last 24 hours as an Alert:

.... | stats latest(_time) AS lastReportTime BY mount_name | eval silenceSeconds = now() - lastReportTime | where silenceSeconds > 14400

View solution in original post

Reply
Solved! Jump to solution

stephanefotso
Motivator
‎06-04-2015 07:05 AM

Here you go!

interaction_count="*" LIVE|bucket _time span=4h| eval date = strftime(_time, "%Y-%m-%d")| stats sum(interaction_count) as sum_interaction_count by mount_name, date|where sum_interaction_count=0
SGF
0 Karma
Reply
Solved! Jump to solution

tenyang
New Member
‎06-04-2015 11:05 PM

Thanks for your help Stephanefotso.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-04-2015 06:32 AM

Run something like this every hour for the last 24 hours as an Alert:

.... | stats latest(_time) AS lastReportTime BY mount_name | eval silenceSeconds = now() - lastReportTime | where silenceSeconds > 14400
Reply
Solved! Jump to solution

tenyang
New Member
‎06-04-2015 11:04 PM

Thanks so much Woodcock, it works!!

0 Karma
Reply
Solved! Jump to solution

tenyang
New Member
‎06-03-2015 06:43 PM

One thing need mention is that, if there is no interaction in 1 hour, it still send a event, but the sum(interaction_count) is 0. Now I want to find out no data reporting screen, which shows blank not 0 if we show one day event by hour.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...