- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- How to Alert on Multiple Hosts Within sourcetype=h...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to Alert on Multiple Hosts Within sourcetype=httpevent Not Sending Events
Good afternoon,
Long question and I hope I can explain it well enough. I'm using a third party file access logging product for my file servers. The third party logging server has a console where I view the logs but I also use an HEC to forward the same logs to Splunk from the third party logging server. The sourcetype in Splunk is always "httpevent". So the "host" value in Splunk always equals [logcollector] and the sourcetype always equals httpevent. Each event from logcollector has a field of "computer" which identifies what host the event originated from before getting to logcollector.
I want to search through all the "httpevent" types every five minutes and alert me on any "comptuer" that hasn't sent an event in "X" seconds. Each threshold is different so I created a lookup table with host, computer, max_delay, and admin. host is always logcollector, computer is one of the 15 hosts logging to logcollector. I have a similar search for some database connections so I figured I could just modify that one slightly but it's not working. See working search below. The quotes around the less than sign is intentional as it interpreted that as html and truncated everything after the first less than sign:
|tstats max(_time) as latest where index=[my index] by host, source, sourcetype
|search [|inputlookup DB_Source.csv|fields source]
|lookup DB_Source.csv source OUTPUT max_delay, admin
|eval current_delay=now()-latest
|where max_delay"<"current_delay
|convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(latest)
|rename host as Host, latest as Latest, source as Database current_delay as "Current Delay (seconds)", max_delay as "Max Delay (seconds)"
So I figured I could modify the search to be:
|tstats max(_time) as latest where index=[my index] by host,source, sourcetype
|search [|inputlookup LogCollectorHosts.csv|fields computer]
|lookup LogCollectorHosts.csv computer OUTPUT max_delay, admin
|eval current_delay=now()-latest
|where max_delay"<"current_delay
|convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(latest)
|rename host as Host, latest as Latest, computer as Computer current_delay as "Current Delay (seconds)", max_delay as "Max Delay (seconds)"
But that search just produces zero results. Any help would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The tstats command only worked on metadata fields (or in other words, indexed fields [fields that are created during index time]). The first query worked as you were only using metadata field in tstats and using the available metadata field from lookup to filter it in line two. In your second search, you still are using metadata field (host source sourcetype), but in next line you're trying to filter with field computer which is not available in the tstats result. Thus no result from the query.
If the field computer exists in your raw data and is an indexed field, then include that in tstats's by clause so it exists for filter.
If the field computer exists in your raw data and is NOT an indexed field, then you've use regular search, instead of tstats and then use the filter.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I assumed "computer" was an indexed field but that appears not to be the case. The field is automatically extracted it looks like though. So I revised my search and used the stats command. It looks like this now and I think it's working (quotes added around the less than sign on purpose):
index=[my index] host=LogHost
|stats latest(_time) as LastSeen by computer
|search [|inputlookup LogCollectorHosts.csv|fields computer]
|lookup LogCollectorHosts.csv computer OUTPUT max_delay, admin
|eval current_delay=now()-LastSeen
|where max_delay"<"current_delay
|convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(LastSeen)
|rename LastSeen as "Last Seen", computer as Computer current_delay as "Current Delay (seconds)", max_delay as "Max Delay (seconds)"
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
