Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

alert if field missing over x mins

stephenmoorhous
Path Finder
‎04-18-2017 02:57 AM

Hi, for a given index and sourcetype I have a field called host which can be one of 4 values
There normally several log-lines for each host every minute
I would like an alert if one of the hosts stops logging for say 5 minutes

I have
index=myindex sourcetype=mysourcetype earliest=-5m | stats count by host

and the alert to trigger if the value is 0 - but if one of the hosts is no in the logs - you get
host count
host-a 128
host-b 143
host-d 122

and host-c is missing rather than 0 so nothing triggers 😞

any ideas other than 4 separate alerts?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-18-2017 03:17 AM

Hi stephenmoorhouse,
I suggest to you to insert your hosts list in a lookup (e.g. perimeter.csv) and then use this lookup for serching the missed ones, note that for only 4 host isn't mandatory to use a lookup, you could insert them in your search (host=host1 OR host=host2 OR host=host3 OR host=host4), but it's a best practice!
Every way try something like this:

index=myindex sourcetype=mysourcetype earliest=-5m 
| eval count=0, host=upper(host) 
| append [ | inputlookup perimeter.csv | eval host=upper(host) | stats count by host ]
| stats sum(count) AS Total by host
| where Total=0

In this way you have all hosts that didn't send logs in the last 5 minutes.

You can use it in an alert scheduled every 5 minutes or, without the last row, in a dashboard panel to show all monitored hosts, highlighting the missed ones.
You can also show this panel in a table with coloured icons.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution

Ravan
Path Finder
‎04-18-2017 03:28 AM

Can be done in multiple ways.

Host lookup (have a lookup uploaded with list of hosts)

|inputlookup lookup_hosts.csv|table host | join type=outer host [search index=myindex sourcetype=mysourcetype earliest=-5m | stats count by host ] | search NOT count =*

Increase the time frame. 

index=myindex sourcetype=mysourcetype earliest=-15m|dedup host |table _time host |where _time  < now() - 300
  • Similar to above logic but consider using either _inernal licence metrics or tstats command.
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-18-2017 03:17 AM

Hi stephenmoorhouse,
I suggest to you to insert your hosts list in a lookup (e.g. perimeter.csv) and then use this lookup for serching the missed ones, note that for only 4 host isn't mandatory to use a lookup, you could insert them in your search (host=host1 OR host=host2 OR host=host3 OR host=host4), but it's a best practice!
Every way try something like this:

index=myindex sourcetype=mysourcetype earliest=-5m 
| eval count=0, host=upper(host) 
| append [ | inputlookup perimeter.csv | eval host=upper(host) | stats count by host ]
| stats sum(count) AS Total by host
| where Total=0

In this way you have all hosts that didn't send logs in the last 5 minutes.

You can use it in an alert scheduled every 5 minutes or, without the last row, in a dashboard panel to show all monitored hosts, highlighting the missed ones.
You can also show this panel in a table with coloured icons.

Bye.
Giuseppe

Reply
Solved! Jump to solution

neilfajardo15
Engager
‎10-06-2021 12:51 AM

Hi @gcusello , im currently stuck with the same issue as this but the difference is I don't use input lookup for my query.  I have seen this comment of yours and it is possible to add the host in the search as you say but im not sure how can i add it to this query because im also using the same but im not using host using other field from the event logs Thanks in advance 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-06-2021 01:03 AM

Hi @neilfajardo15,

if you have few hosts is possible to insert them in the search, even if I always hint to use the lookup to have a more maintenable object.

so, if you have three hosts, you could run something like this:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ | makeresults | eval host="host1", count=0 | fields host count ]
| append [ | makeresults | eval host="host2", count=0 | fields host count ]
| append [ | makeresults | eval host="host3", count=0 | fields host count ]
| stats sum(count) AS total By host
| where total=0

 Ciao.

Giuseppe

P.S.: next time, please, open a new question.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...