Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Writing a search that will catch sourcetypes that have logged in x amount of time

brent_weaver
Builder
‎05-18-2017 05:31 AM

We are wokring on coming up with a methd to detect data that stops coming in based on sourcetype. I believe I will want to look at the metadata like:

|metadata index=index_name type=sourcetypes

This yields a nice list (based on index of course). How do I structire this metadata query to pick out sourcetypes that have not reported in in say 1 day? I would assume I woudl leverage the epoch timestamp and do some simple math?

Any help is MUCH apprecaited!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-18-2017 05:41 AM

You can take a difference of current time and lastTime field and check if its greater than a day -

 | metadata index=index_name type=sourcetypes | eval diff=now() - lastTime | where diff > 86400 | convert ctime(lastTime)

Similar query be created to identify hosts which have stopped reporting (even if no non-internal logs are generated internal logs are continuously read from hosts) -

 | metadata type=hosts | eval diff=now() - lastTime | where diff > 86400 | convert ctime(lastTime)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-18-2017 05:41 AM

You can take a difference of current time and lastTime field and check if its greater than a day -

 | metadata index=index_name type=sourcetypes | eval diff=now() - lastTime | where diff > 86400 | convert ctime(lastTime)

Similar query be created to identify hosts which have stopped reporting (even if no non-internal logs are generated internal logs are continuously read from hosts) -

 | metadata type=hosts | eval diff=now() - lastTime | where diff > 86400 | convert ctime(lastTime)
0 Karma
Reply
Solved! Jump to solution

brent_weaver
Builder
‎05-18-2017 07:18 AM

Thank you for the great info, and they both worked perfectly. One last question, is tstats any more efficient? We have also been playing with:

| tstats latest(_time) as latest where index=index* by sourcetype | where latest < relative_time(now(), "-60m") | eval "last seen"=strftime(latest,"%m/%d/%y %H:%M:%S") | fields – latest

Which is faster? I would suspect meta, but if I knew I woudl not bother you with this question! 🙂

Thanks!

0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎05-18-2017 11:42 PM

Metadata query are not time dependent, but tstats queries are. Also if you want to find a sourcetype that had stopped reporting last week, then the time range for tstats command has to be greater than 7days.
Metadata queries are faster in this respect, but they can also be slow if you have huge number of results(sourcetypes or hosts).

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...