Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunk - create alert for a specific host not sending data in last 30 min using metadata

roysm619
New Member
‎06-07-2017 12:41 AM

Below is the search that i have prepared to check for the host named nmshost01 not sending data for over 30 min

| metadata type=hosts index=* | search host="nmshost01"| eval age = now()-lastTime | where age > (1800)| sort age d | convert ctime(lastTime) |fields host,age

This search yields appropriate results. I am unable send any alert using this as events show 0 while statistics show the result.

What is the right option to select when we save as alert. The options i get in the drop down are :
1. per results
2. number of results
3. number of hosts
4. number of sources
5. custom

I have tried number of results but i don't get any alert triggered as events show 0 in metadata search

0 Karma
Reply

dineshraj9
Builder
‎06-07-2017 02:23 AM

Your query will return a result only when the host hasn't reported in last 30mins -

| metadata type=hosts index=* | search host="nmshost01"| eval age = now()-lastTime | where age > 1800 | sort age d | convert ctime(lastTime) |fields host age lastTime

Hence the condition selected should be "number of events" greater than 0.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...