Alert if no events seen in X hours

Question

Using the following search:

|metadata type=hosts |sort lastTime|convert ctime(lastTime)|fields host,lastTime

I am able to get a list of all hosts and when the last time splunk saw an event from that host. What I would like to do is create a saved search based off of this sort of search that I can use as an alert if lastTime is greater than some number of hours for any particular host. I was imagining something along the lines of

|metadata type=hosts |sort lastTime|convert ctime(lastTime)|fields host,lastTime |where NOW - lastTime > 12h

Or something along those lines. Is there a function that would give me NOW (current date/time) and if so, is this the right approach to get what I'm after?

Accepted Answer

4

You're looking for the now() function in eval. The following search will alert you if there are any hosts that haven't sent any data for more than one hour (3600 seconds)

# compare last event's time to now 
|metadata type=hosts | eval since=now()-lastTime | search since>3600 |...

OR 
# compare indexer's time when last event came to now
|metadata type=hosts | eval since=now()-recentTime| search since>3600 |...

link

answered 29 Apr '11, 12:05

Ledion Bitincka ♦
1.5k●3●6
accept rate: 34%

edited 29 Apr '11, 12:06

Awesome, exactly what I was looking for. Thanks!

(29 Apr '11, 12:14) chadroberts

Alert if no events seen in X hours

Follow this question

Splunk Resources

Related questions