I need to obtain | metadata
generated results as search events because I need to associate an alert to hosts
with a too old recentTime
.
What's the search corresponding to:
| metadata type=hosts index=_internal
Hi,
There is an app for missing data / sourcetype. It's called Broken Hosts for Splunk.
It has some nice queries that you could reuse if you do not want to use the app itself.
Link: https://splunkbase.splunk.com/app/3247/
Good luck!
Hello, I installed the application. It seems to suffer the same defect as my query: it returns statistic rows, not events. How can I attach an alert to it?
@mseguri, are you looking for something like the following addinfo
example in Splunk Docs? https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo#2._Determine_which_heart...
This works for me. Replace the zero with your desired interval.
| metadata type=hosts index=_internal | where (now()-recentTime)>0 | fieldformat recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | table host recentTime
@richgalloway I didn't try your query but it seems to not respond to my question. I need a query that returns search events. Yours just return results in a table. Thanks
If you want to create an alert for hosts with too old of a recentTime value, use the query I offered and set the alert to trigger if the number of events is not zero.
If you just want the events themselves then omit the table
command.
@richgalloway The query you wrote is very similar to the one I wrote and that led me to open this question. Our query does not return events. It is not possible to attach any alert to it. It return results, not events. Alerts are based on events. The alert you suggest will never trigger. Is it clearer now?
I was able to create an alert using the above query. The key seemed to be setting the trigger to be "Number of Hosts" greater than zero rather than "Number of results".
Notice Splunk uses the term "results" rather than "events" in the trigger definition.
I tried "Number of hosts" with no success