- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Using "if" when events are present or not present....
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically, I want to be able to tell at all times whether IPS sensors are up and running, or if they are not. They ingest events multiple times per second. So I would want a real-time red/green style monitor that would determine whether Splunk is ingesting events, or whether it is not. Any ideas (Cisco Sourcefire with eStreamer)? I know it's probably simple, but still learning. It would start with:
sourcetype=eStreamer sensor=CORPSF01| eval if
Lost from there as to what to do, thanks! I plan to setup a dashboard with all of my sensors that would show red or green.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems like this would be a simple search with a "if no events, then alert" if I'm reading your request right. I would accomplish this using stats count, then in the alert condition, specify to alert if count=0 for any specific scan. Depending on your system you may have to adjust for index latency (shift scan window 1-2 minutes into the past).
sourcetype=eStreamer sensor=CORPSF01| stats count
You could improve the search from there by breaking it by something meaningful for instance "stats count by host", then you'd get an alert if any host stopped sending data rather than when the whole sourcetype went blank.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems like this would be a simple search with a "if no events, then alert" if I'm reading your request right. I would accomplish this using stats count, then in the alert condition, specify to alert if count=0 for any specific scan. Depending on your system you may have to adjust for index latency (shift scan window 1-2 minutes into the past).
sourcetype=eStreamer sensor=CORPSF01| stats count
You could improve the search from there by breaking it by something meaningful for instance "stats count by host", then you'd get an alert if any host stopped sending data rather than when the whole sourcetype went blank.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked, I simply setup a filler gauge with 0 to 1 as red, then 1 to 10 as green for the last 15 minutes in real-time. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any idea as to how I could limit my searches to only return an event count of 10? I don't need to see 2,035,353 events on my gauge, only ten results is fine (most recent) so that my searches aren't taking up too much horsepower.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
