Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search to find Log Sources not reporting

lohit
Path Finder
‎10-24-2013 03:48 AM

Hello everyone,

I have around 20 forwarders (Universal) in my env and configued to forward data to Splunk Indexer. I would like to create a report which can show which all log sources have not reported for a specific time(say for last 3 days).

Please help me in this.

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-24-2013 04:40 AM

Run the Deployment Monitor App. It will a) tell you, and b) let you configure alerting quite easily.

Otherwise you can do something like this;

| metadata type=sourcetypes | append  [|metadata type=sources] | append [|metadata type=hosts] 
| eval name=coalesce(source, sourcetype, host) 
| fields + recentTime name type 
| where recentTime < now()-10*86400 
| convert ctime(recentTime) |

Just substitute the 10*86400 to whatever timespan you like - in this case it's 10 days ago.

/K

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...