Splunk Search

search command to check missing events by sourcetypes/source?

remy06
Contributor

Hi,

I'm using this command to search for hosts that have stopped sending data within the last 24 hours.Using this,any host that has stopped sending logs to splunk will be listed in a table with the last received time.

| metadata type=hosts | tags host | eval age = now() - lastTime | search (age > 86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime

However,I realized there will be a problem when I have a host that is sending data by 2 different sourcetypes. For example only,hostA could be sending OS level logs via UDP and application log file by secure transfer(SSH).In this scenario if hostA continues to send OS logs via UDP but failed to send application log file by SSH,the search command above would not detect the failure.

Is there any other solution?I've tried to create a search where type=sources or sourcetypes but it does not work.

Tags (1)

mw
Splunk Employee
Splunk Employee

If you haven't used the Deployment Monitor app yet, you should take a look. It can tell you when you're receiving less data than expected, and you can configure alerting.

You could do this as a very broad, slow, naive search:

* | stats last(_time) as _time by host, source | sort _time, host, source

But, looking at the _internal index for metrics would probably be best, which is what the Deployment Monitor does.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...