Splunkers,
To meet a regulatory requirement, I need to alert on if a syslog device does NOT send data to the Indexers in a 24 hour period.
For example:
If host splunk1 does send data, no alert needs to be generated.
If host splunk2 does NOT send data, and alert must be generated.
This alert needs to have a hostname.
We are leveraging Nexpose to send a synthetic transaction to devices such as Cisco ACS switches.
Search example:
index=network message_text="Login failed for user SynTran01 - sshd" | stats count by host
This search string returns a count of 16 and it will always be 16 for this specific devices type.
Any advice would be greatly appreciated.
Start with this query. Save it as an alert running at the desired interval and triggered when the number of hosts > 0.
| metadata type=hosts index=* | eval diff=now()-recentTime | where diff > 86400 | fieldformat recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | table host recentTime
HI matthew.foos,
you should create a lookup with all the hosts you have to monitor in your perimeter (e.g. a lookup called perimeter.csv with one field called host), and the schedule an alert like this
| metasearch index=*
| eval host=upper(host)
| stats count by host
| append [ | inputlookup perimeter.csv | eval count=0, host=upper(host) | fields host count ]
| stats sum(count) AS Total by host
| where Total=0
You should check what is the minimum time period for monitoring because 24 hours probably is a too large period.
Bye.
Giuseppe
Start with this query. Save it as an alert running at the desired interval and triggered when the number of hosts > 0.
| metadata type=hosts index=* | eval diff=now()-recentTime | where diff > 86400 | fieldformat recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | table host recentTime
Hi Richgalloway,
Can i know what does this "where diff > 86400" trying to say in the query?
The 'diff' variable (now()-recentTime) is greater than 86400 seconds (24 hours, as requested in the question.)