search command to check missing events by sourcety...

remy06 · ‎06-08-2011

Hi,

I'm using this command to search for hosts that have stopped sending data within the last 24 hours.Using this,any host that has stopped sending logs to splunk will be listed in a table with the last received time.

However,I realized there will be a problem when I have a host that is sending data by 2 different sourcetypes. For example only,hostA could be sending OS level logs via UDP and application log file by secure transfer(SSH).In this scenario if hostA continues to send OS logs via UDP but failed to send application log file by SSH,the search command above would not detect the failure.

Is there any other solution?I've tried to create a search where type=sources or sourcetypes but it does not work.

mw · ‎06-08-2011

If you haven't used the Deployment Monitor app yet, you should take a look. It can tell you when you're receiving less data than expected, and you can configure alerting.

You could do this as a very broad, slow, naive search:

* | stats last(_time) as _time by host, source | sort _time, host, source

But, looking at the _internal index for metrics would probably be best, which is what the Deployment Monitor does.

search command to check missing events by sourcetypes/source?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk