Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sourcetype Dashboard and/or alert

bluemarvel
Path Finder
‎08-04-2016 08:59 AM

need to build an reporting alert that will indicate which sourcetype has stopped as well indicate which server, is there a method in which I can merge the two alerts together, if not then what would be the best approach. (not using Metadata)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-04-2016 09:02 AM

Try like this. Run this for last 24hrs OR last 7 days

| tstats max(_time) as recentTime WHERE index=* by host sourcetype | eval age=now()-recentTime | where age>PutYourThresholdValueInSecHere | eval recentTime=strftime(recentTime,"%+") | eval age=tostring(age,"duration")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-04-2016 09:02 AM

Try like this. Run this for last 24hrs OR last 7 days

| tstats max(_time) as recentTime WHERE index=* by host sourcetype | eval age=now()-recentTime | where age>PutYourThresholdValueInSecHere | eval recentTime=strftime(recentTime,"%+") | eval age=tostring(age,"duration")
0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎08-04-2016 09:08 AM

I think the eval statement should read

eval age=now()-recentTime

0 Karma
Reply
Solved! Jump to solution

bluemarvel
Path Finder
‎08-04-2016 10:19 AM

ok I tried this with 45404 sec and added an index, nothing comes up.

tstats max(_time) as recentTime WHERE index=* by host sourcetype | eval age=now()-recentTime | where age>PutYourThresholdValueInSecHere

0 Karma
Reply
Solved! Jump to solution

bluemarvel
Path Finder
‎08-04-2016 10:21 AM

I also keep getting the following: "Error in 'tstats' command: This command is not supported in a real-time search"

is there another alternative

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎08-04-2016 10:25 AM

Try putting the values into a table so you can see the age numbers. That way you can gauge what your threshold should be (ballpark)

|tstats max(_time) as recentTime WHERE index=* by host sourcetype | eval age=now()-recentTime | table host, sourcetype, age

You shouldn't have to make this a real time search to be able to alert on it.

0 Karma
Reply
Solved! Jump to solution

bluemarvel
Path Finder
‎08-04-2016 10:33 AM

right, I got it to work, thank you. So the next step converting the recent time in a more readable format I.E.: (ddmmyy)

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-04-2016 10:46 AM

I've updated my answer to include the human readable formatting of recentTime and duration.

In one of the comment you mentioned trying to run this as real-time search. If you're planning to do that, I would suggest use the regular search instead with schedule more frequently (say every 5-10 mins or so) if necessary. Real-time searches are expensive and a schedule real-time search never ends and will keep holding on the precious resources.

0 Karma
Reply
Solved! Jump to solution

bluemarvel
Path Finder
‎08-04-2016 10:51 AM

ah got it, thank you for that

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-04-2016 09:14 AM

It should. Thanks for pointing it out. It's corrected now.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...