Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunk - create alert for a specific host not sending data in last 30 min using metadata

roysm619
New Member
‎06-07-2017 12:41 AM

Below is the search that i have prepared to check for the host named nmshost01 not sending data for over 30 min

| metadata type=hosts index=* | search host="nmshost01"| eval age = now()-lastTime | where age > (1800)| sort age d | convert ctime(lastTime) |fields host,age

This search yields appropriate results. I am unable send any alert using this as events show 0 while statistics show the result.

What is the right option to select when we save as alert. The options i get in the drop down are :
1. per results
2. number of results
3. number of hosts
4. number of sources
5. custom

I have tried number of results but i don't get any alert triggered as events show 0 in metadata search

0 Karma
Reply

dineshraj9
Builder
‎06-07-2017 02:23 AM

Your query will return a result only when the host hasn't reported in last 30mins -

| metadata type=hosts index=* | search host="nmshost01"| eval age = now()-lastTime | where age > 1800 | sort age d | convert ctime(lastTime) |fields host age lastTime

Hence the condition selected should be "number of events" greater than 0.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...