Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunk - create alert for a specific host not sending data in last 30 min using metadata

roysm619
New Member
‎06-07-2017 12:41 AM

Below is the search that i have prepared to check for the host named nmshost01 not sending data for over 30 min

| metadata type=hosts index=* | search host="nmshost01"| eval age = now()-lastTime | where age > (1800)| sort age d | convert ctime(lastTime) |fields host,age

This search yields appropriate results. I am unable send any alert using this as events show 0 while statistics show the result.

What is the right option to select when we save as alert. The options i get in the drop down are :
1. per results
2. number of results
3. number of hosts
4. number of sources
5. custom

I have tried number of results but i don't get any alert triggered as events show 0 in metadata search

0 Karma
Reply

dineshraj9
Builder
‎06-07-2017 02:23 AM

Your query will return a result only when the host hasn't reported in last 30mins -

| metadata type=hosts index=* | search host="nmshost01"| eval age = now()-lastTime | where age > 1800 | sort age d | convert ctime(lastTime) |fields host age lastTime

Hence the condition selected should be "number of events" greater than 0.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...