Check out the docs for creating a lookup with db connect. Make sure you index your lookup database table first. Also, it is probably best to avoid the dblookup command, at least in production. ... View more

To add to martin's answer, I think the best way to use db connect 1.x for lookups is to: 1) Create a db input that indexes the information into Splunk 2) Create a standard CSV-based lookup from the information indexed in step 1 3) Apply the lookup to the hosts/sources/sourcetypes that you want to annotate with the lookup information. ... View more

@somesoni2 has a good idea, although I would do it even more simply: (1) create a lookup table that contains a list of the sourcetypes that need to be checked. (2) run the following search | inputlookup sourcetype.csv | eval recentTime = 0 | join type=left sourcetype [ metadata type=sourcetypes ] | where recentTime < now() - 60 This would give you a list of all the sourcetypes in sourcetype.csv that have not seen new data in the last minute. If you wanted to check only one sourcetype, it gets even easier | metadata type=sourcetypes | where sourcetype = thesourcetypetocheck and recentTime < now() - 60 This search returns nothing if the sourcetype has received data, and a single event if it has not received data. In both cases, you might want to set an alert condition of "number of results > 0". Now, regarding event:message.in - this changes things. If the rule is "all of the sourcetypes in my list must have at least one event with event:message.in during the last minute" then the test needs to look like this (and the alert condition is still "number of results > 0"): | inputlookup sourcetype.csv | join type=left sourcetype [ search earliest=-1m event:message.in=* [ | inputlookup sourcetype.csv ] | stats count by sourcetype] | where count = 0 If the rule is "a particular sourcetype must have at list must have at least one event with event:message.in during the last minute" then this will do it earliest=-1m event:message.in=* sourcetype=mysourcetype For this last search, your alert condition should be "number of results = 0". ... View more

Real-time search don't work the same as Report Searches (standard searches). This is because Real-time searches search through events as they are being streamed to the index while report searches are reading back disk. So if you have delays in sending or indexing the search will only show events that it received in that window. If more events show up a few seconds/minutes later the wont be show in the real time search. Since those events were delayed you run your search again for that same time period not in real-time the indexer has caught up or finished receiving those delayed events so your count is larger. You will see discrepancies if your Splunk Queues on the Indexers or forwarders are having blocking issues. Also you could have NTP issues on your servers causing timestamp issues. Additional Reading: Aboutsearch Indextimeversussearchtime Handleeventtimestamps Propsconf Aboutrealtimesearches Hope this help you or gets you started. Dont forget to vote and accept answers that help. ... View more