How to create an Alert or dashboard for identifyin...

Gggflyer · ‎08-11-2023

I created a search to list servers and the last time a windows log reported.

command i am using is Tstats latest(_time) as lastseen where (index=windows) by host | convert ctime(lastseen)

I am trying to compare that “last seen” to current time and if more than 24 hrs then I would like to alert.

Any thoughts on how to identify and alert on that. Ultimately would love adding this to a dashboard.

jotne · ‎08-12-2023

If you have many server/indexes/sourcetype to monitor, you can have a look at the app TrackMe
https://splunkbase.splunk.com/app/4621

gcusello · ‎08-12-2023

Hi @Gggflyer,

if you need to find hosts that didn't logged in the last 24 hours you can use the search from @richgalloway .

If you also need to find servers that didn't logged for a longer time or never logged, you should use a different similar approach:

you have to create a lookup containing the servers to monitor (called e.g. perimeter.csv) containing at lest one field (host) and the n running a search like the following:

| tstats count latest(_time) as lastseen WHERE (index=* earliest=-24h latest=now) BY host 
| eval host=lower(host)
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total values(lastseen) AS lastseen BY host
| where total=0
| convert ctime(lastseen)

Ciao.

Giuseppe

richgalloway · ‎08-11-2023

Compare lastseen to the current time (value produced by the now() function) before converting the format.

| tstats latest(_time) as lastseen where (index=windows) by host 
| where lastseen <= relative_time(now(), "-24h")
| convert ctime(lastseen)

---
If this reply helps you, Karma would be appreciated.

How to create an Alert or dashboard for identifying if a server log hasn’t reported in 24 hrs?

eval

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!