Solved: How to monitor inactive sourcetypes(or inactive in...

512anagha · ‎07-04-2017

I need to create alert for inactive sourcetypes or index. All the logs are coming from a single host( a syslog server), so cannot create an alert based on host.

For using metadata command "type" is required but I am unable to set type as index or sourcetype
| metadata type=hosts | sort recentTime | convert ctime(recentTime) as Latest_Time

The following usecase helps me to get all the indexes and source types, but I am unable to set the time to check for the inactive requirement.
| tstats values(sourcetype) where index=* group by index

dineshraj9 · ‎07-04-2017

You have to use type=sourcetypes with metadata.

For sourcetypes that didn't report data in last 7 days -

| metadata type=sourcetypes | eval diff=now()-lastTime | where diff > 3600*24*7 | convert ctime(lastTime) | convert ctime(firstTime)  | convert ctime(recentTime) | sort -diff

View solution in original post

dineshraj9 · ‎07-04-2017

You have to use type=sourcetypes with metadata.

For sourcetypes that didn't report data in last 7 days -

| metadata type=sourcetypes | eval diff=now()-lastTime | where diff > 3600*24*7 | convert ctime(lastTime) | convert ctime(firstTime)  | convert ctime(recentTime) | sort -diff

x3ncrypt · ‎01-23-2022

Is there an equivalent search for indexes? Thanks

gjanders · ‎07-05-2017

Alternatively have a look at metawoot this provides an enhanced metadata list in the form of a lookup file with more detail than the default metadata command...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

How to monitor inactive sourcetypes(or inactive indexes) in Splunk?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life