Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to find the name of each server that has not reported in the last 4 hours?

tenyang
New Member
‎06-03-2015 06:38 PM

Hi all,

I am a new one to splunk. Now i am facing some problem to get the data as I want.
I have more than 250 servers forwarding data to splunk, and the events are updated every hour as a group. For example, each server will sent the total number of interaction for the last hour. now I want to find every server name which has not sent data for the last 4 hours.
When I search the event, if there is no data sending, then the server name will not display after search, so I can't get them. My question is how can I get all server names and then find out those who are no longer sending. Please kindly help me on this.
My base search: 

 interaction_count="*" LIVE| eval date = strftime(_time, "%Y-%m-%d")| stats sum(interaction_count) as sum_interaction_count by mount_name, date

Thanks in advance~~~

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-04-2015 06:32 AM

Run something like this every hour for the last 24 hours as an Alert:

.... | stats latest(_time) AS lastReportTime BY mount_name | eval silenceSeconds = now() - lastReportTime | where silenceSeconds > 14400

View solution in original post

Reply
Solved! Jump to solution

stephanefotso
Motivator
‎06-04-2015 07:05 AM

Here you go!

interaction_count="*" LIVE|bucket _time span=4h| eval date = strftime(_time, "%Y-%m-%d")| stats sum(interaction_count) as sum_interaction_count by mount_name, date|where sum_interaction_count=0
SGF
0 Karma
Reply
Solved! Jump to solution

tenyang
New Member
‎06-04-2015 11:05 PM

Thanks for your help Stephanefotso.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-04-2015 06:32 AM

Run something like this every hour for the last 24 hours as an Alert:

.... | stats latest(_time) AS lastReportTime BY mount_name | eval silenceSeconds = now() - lastReportTime | where silenceSeconds > 14400
Reply
Solved! Jump to solution

tenyang
New Member
‎06-04-2015 11:04 PM

Thanks so much Woodcock, it works!!

0 Karma
Reply
Solved! Jump to solution

tenyang
New Member
‎06-03-2015 06:43 PM

One thing need mention is that, if there is no interaction in 1 hour, it still send a event, but the sum(interaction_count) is 0. Now I want to find out no data reporting screen, which shows blank not 0 if we show one day event by hour.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...