Alerting

Email alert when a data source don't sends events to splunk

andreaf83
Engager

Is possible in splunk to configure no data alert? I want to receive an email alert when, for any reason, a data source don't sends events to my splunk server for a specified time.

Tags (1)

dwaddle
SplunkTrust
SplunkTrust

Yes, provided you can write a search that is specific enough to your data source. See:

http://answers.splunk.com/questions/8764/monitoring-file/8765#8765

0 Karma

ftk
Motivator

The following search looks at all hosts in a given index and returns the ones that have not sent any data in the past 10 minutes (1200 seconds):

| metadata type=hosts index=blah |  convert ctime(recentTime) as Recent_Time | where lastTime < (now() - 1200) 

You could customize the 1200 to the interval of your choice, then schedule this search and set an alert condition, for example Number of results > 1 (which would fire when there are any hosts that haven't checked in in 1200 seconds).

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...