Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search command to check missing events by sourcetypes/source?

remy06
Contributor
‎06-08-2011 07:53 PM

Hi,

I'm using this command to search for hosts that have stopped sending data within the last 24 hours.Using this,any host that has stopped sending logs to splunk will be listed in a table with the last received time.

| metadata type=hosts | tags host | eval age = now() - lastTime | search (age > 86400) | sort age d | convert ctime(lastTime) | fields age,host,lastTime

However,I realized there will be a problem when I have a host that is sending data by 2 different sourcetypes. For example only,hostA could be sending OS level logs via UDP and application log file by secure transfer(SSH).In this scenario if hostA continues to send OS logs via UDP but failed to send application log file by SSH,the search command above would not detect the failure.

Is there any other solution?I've tried to create a search where type=sources or sourcetypes but it does not work.

Tags (1)
Reply

mw
Splunk Employee
Splunk Employee
‎06-08-2011 08:26 PM

If you haven't used the Deployment Monitor app yet, you should take a look. It can tell you when you're receiving less data than expected, and you can configure alerting.

You could do this as a very broad, slow, naive search: 

* | stats last(_time) as _time by host, source | sort _time, host, source

But, looking at the _internal index for metrics would probably be best, which is what the Deployment Monitor does.

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...