Refine your search:

How do I alert when a host stops sending data?

1

What's the best way to create a search to identify which hosts have not sent a syslog message to Splunk in the last 2 days?

asked 01 Jun '10, 22:08

matt's gravatar image

matt ♦♦
3.6k131440
accept rate: 81%

2 Answers:
oldestnewestmost voted
2

Are you talking specifically sourcetype=syslog or just any events from a host? It's easy to do any events from a host with something like this:

| metadata index=main type=hosts | eval age = now()-lastTime | where age > (2*86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime

Does that work for you?

link

answered 01 Jun '10, 22:25

Lowell's gravatar image

Lowell ♦
11.2k91291
accept rate: 41%

0

I tried this search an got 0 search results

link

answered 17 Jun '10, 18:33

ram.malhotra's gravatar image

ram.malhotra
11
accept rate: 0%

1

this could mean that you don't have any "lost" hosts

(18 Jun '10, 06:37) CerielTjuh
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1,685
×307

Asked: 01 Jun '10, 22:08

Seen: 1,332 times

Last updated: 17 Jun '10, 18:33

Related questions

Send email alert to system owner (in a non-bloated way)

Alert if any forwarder stops sending

how do I change a host when seeing multiple hosts?

How do I create a temperature threshold that send alert at 30 degrees

How do I know if a host is not sending me data?

How do I alert on license violations?

How do I delete all references of a host so it stops showing up on the host list?

Can I attached both PDF and CSV for alert?

Query/Alert to detect if a light forwarder stops reporting to deployment server

Copyright © 2005-2012 Splunk Inc. All rights reserved.