Splunk Search

Quickly find the time since the last event logged by a host

approachct
Path Finder

We are trying to monitor the hosts to ensure they have not stopped logging events. The search being used is

*|stats max(EVENT_TIMESTAMP) AS LastTime by WEB_SERVER
 |convert timeformat="%Y%m%d %H:%M:%S" mktime(LastTime)
 |eval MinutesAgo=now()-LastTime
 |convert timeformat="%M:%S" ctime(MinutesAgo)
 |fields WEB_SERVER, MinutesAgo
 |sort -MinutesAgo
 |table WEB_SERVER, MinutesAgo

I expect that there is a much more efficient way of doing this, probably going after some of the metadata that is stored in Splunk along with the log event.

Any ideas?

Tags (1)
1 Solution

piebob
Splunk Employee
Splunk Employee

this search looks at the recentTime and provides a table of hosts sorted by the last time they were heard from:

| metadata type=hosts | sort recentTime desc | convert ctime(recentTime) as Recent_Time

or, you could enable the Deployment Monitor app and configure it to alert you when forwarders haven't been heard from:

http://www.splunk.com/base/Documentation/latest/Deploy/Troubleshootyourdeployment

View solution in original post

piebob
Splunk Employee
Splunk Employee

this search looks at the recentTime and provides a table of hosts sorted by the last time they were heard from:

| metadata type=hosts | sort recentTime desc | convert ctime(recentTime) as Recent_Time

or, you could enable the Deployment Monitor app and configure it to alert you when forwarders haven't been heard from:

http://www.splunk.com/base/Documentation/latest/Deploy/Troubleshootyourdeployment

Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...