| tstats latest(_time) as latest where index=* earliest=-24h by host,index | eval status = if(latest > relative_time(now(),"-23h"),"Success","Faliure"), Time = strftime(latest,"%c")|table host,Tindex,time,status
this will do
or use apps in @isoutamo 's reply
Mostly right, but you're going to miss index that is offline for 25h+.
Should search for a longer time span, something like this:
| tstats max(_time) AS _time WHERE earliest=-7d@d BY index
| where _time<now()-(24*3600)
Is that the entire search string I will need to use? Thanks
Hi
based on @johnhuang SPL some modifications. If you want to check towards all indexes what you have defined on your indexers and don't want to get data from all time with tstats you should use this
| tstats max(_time) as _time where earliest=-1d@d by index
| append
[| rest /services/data/indexes splunk_server=*
| fields title
| rename title as index
| eval _time=0]
| where _time<now()-(24*3600)
Just replace splunk_server=* with your indexers.
This just get list of your all indexes which are defined on indexers and then get events from the beginning of previous day.
r. Ismo
Hi
there are many apps which you can use for this. Here is some of those and other information about missing events.
There are a lot of options for finding hosts or sources that stop submitting events:
Meta Woot! https://splunkbase.splunk.com/app/2949/
TrackMe https://splunkbase.splunk.com/app/4621/
Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/
Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...Some helpful posts:
https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe
https://www.duanewaddle.com/proving-a-negative/
You could easily add alert based on those.
r. Ismo