Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help in creating alert for sourcetype not receivng data

vrmandadi
Builder
‎01-16-2020 04:45 PM

I have an index=pan with three sourcetypes pan:abc , pan:xyz, pan:tuv .
I want to create an alert if I dont receive any data for 15 minutes for a sourcetype .

I used the below query .But the query only works for one sourcetype.I dont want to create multiple alerts for each sourcetype .I want to know if there is a easy way to alert for all the three source types in a single query

| metadata type=sourcetypes index=yourindexNameHere | where sourcetype=yourSourcetypeNameHere| eval age=(recentTime-now()) | where age>900 | table sourcetype recentTime age | convert ctime(recentTime)

Thanks in Advance

0 Karma
Reply

to4kawa
Ultra Champion
‎01-16-2020 05:17 PM 
| metadata type=sourcetypes index=pan | where sourcetype="pan:abc" OR  sourcetype="pan:xyz" OR  sourcetype="pan:tuv"
| eval age=now() - recentTime| where age>900 | table sourcetype recentTime age | convert ctime(recentTime)
|eventstats values(sourcetype) as sourcetypes
|eval sourcetypes=mvjoin(sourcetypes,",")

fire alert with $result.sourcetypes$

hi, @vrmandadi
how about this?

0 Karma
Reply

vrmandadi
Builder
‎01-16-2020 05:36 PM

I got it
| metadata type=sourcetypes index=pan
| search sourcetype=pan:*
| eval age=(now() -recentTime) | search age>900
| convert ctime(recentTime)
| eval time=strftime(_time,"%d/%m/%Y %H:%M:%S")

Reply

to4kawa
Ultra Champion
‎01-16-2020 05:42 PM

that's good, please accept the answer.

0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎01-16-2020 04:54 PM

Have you tried a search instead of where and a wildcard in the sourcetype?

(frankly I forget half the time when/where/why to use "search" vs "where" but if one doesn't work try the other and that usually works 😛 )

| metadata type=sourcetypes index=yourindexNameHere | search sourcetype=pan:*| eval age=(recentTime-now()) | where age>900 | table sourcetype recentTime age | convert ctime(recentTime)

@marycordova
0 Karma
Reply

vrmandadi
Builder
‎01-16-2020 05:19 PM

Hello @marycordova

Thank you for your reply .I have few questions .The age gives negative values .What does that mean .Should that not be the other way | eval age=(now() -recentTime) and than based on the age value I can create an alert if is greater than 900 for 15 minutes .I am doing something wrong

0 Karma
Reply

vrmandadi
Builder
‎01-16-2020 05:36 PM

I got it
| metadata type=sourcetypes index=pan
| search sourcetype=pan:*
| eval age=(now() -recentTime) | search age>900
| convert ctime(recentTime)
| eval time=strftime(_time,"%d/%m/%Y %H:%M:%S")

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...