Solved: Send email when application server/network device ...

satoshi86 · ‎10-08-2012

Hi All,

Is there a way for Splunk to send out an email notification when Splunk is not receiving any syslog entries from an application server or a network device?

Thanks.

lguinn2 · ‎10-08-2012

Yes, although you need to define some criteria. For example -

Search for hosts that have sent syslog events in the past week, but have not sent syslog events in the past hour.

Here is a search that would work:

sourcetype=*syslog* earliest=-7d 
| fields host 
| eval hcount = if (_time>=relative_time(now(),"-1h"),1,0)
| stats sum(hcount) as hourlyCount count as weeklyCount by host
| where hourlyCount == 0

You could then schedule this to run every hour and alert if number of events is greater than zero.

View solution in original post

lguinn2 · ‎10-08-2012

Yes, although you need to define some criteria. For example -

Search for hosts that have sent syslog events in the past week, but have not sent syslog events in the past hour.

Here is a search that would work:

sourcetype=*syslog* earliest=-7d 
| fields host 
| eval hcount = if (_time>=relative_time(now(),"-1h"),1,0)
| stats sum(hcount) as hourlyCount count as weeklyCount by host
| where hourlyCount == 0

You could then schedule this to run every hour and alert if number of events is greater than zero.

satoshi86 · ‎10-19-2012

thanks again for your help Iguinn!!

lguinn2 · ‎10-10-2012

Sorry, it's a typo. I've updated my original answer to fix it! Thanks for commenting and sorry about that.

satoshi86 · ‎10-10-2012

Hi Iguinn,
I tried to run your command and it gives me the error:-

Error in 'eval' command: The arguments to the 'relative_time' function are invalid.

May I know how do i fix that?
I'm very sorry, I'm kinda weak in programming.

Send email when application server/network device is not pushing syslog to Splunk

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!