Getting Data In

Identifying "idle" sources

IgorB
Path Finder

How can I get a list of sources that haven't received any events for a given period of time (e.g. for last 24 hours). Purpose: alert Splunk admin if there are "idle" sources

Tags (1)
1 Solution

southeringtonp
Motivator

To find sources that have checked in within the last week, but not within the last 24 hours:

| metadata sources
| eval age=now()-recentTime 
| where age>86400 and age<604800
| convert ctime(recentTime) as LastEvent

Tune the cutoff values (in seconds) in line 3 as needed.

Replace sources with hosts or sourcetypes if you want to report on those.

To evaluate for a specific source/sourcetype from a specific host, you would have to query the timestamps of raw events instead of using metadata (which can be much slower).

View solution in original post

southeringtonp
Motivator

To find sources that have checked in within the last week, but not within the last 24 hours:

| metadata sources
| eval age=now()-recentTime 
| where age>86400 and age<604800
| convert ctime(recentTime) as LastEvent

Tune the cutoff values (in seconds) in line 3 as needed.

Replace sources with hosts or sourcetypes if you want to report on those.

To evaluate for a specific source/sourcetype from a specific host, you would have to query the timestamps of raw events instead of using metadata (which can be much slower).

ftk
Motivator

You can use the following search to identify the last reported time of hosts:

| metadata type=hosts index=blah | sort recentTime desc | convert ctime(recentTime) as Recent_Time

And you can modify it to work on sources by changing hosts to sources:

| metadata type=sources index=blah | sort recentTime desc | convert ctime(recentTime) as Recent_Time
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...