Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set up an alert to trigger if certain indexes do not receive any events within a certain time range?

kestasm
Path Finder
‎03-24-2015 02:09 AM

Hello,

We are monitoring a few indexes which are very important for us, but sometimes services get stuck and events are not sent to the indexes. Is it possible to create an alert which would send us a notification when there is no event condition met in an hour or any similar timeline?

I tried to using this, but it seems it doesn't work:

|metadata type=index |search index=A OR index=B OR index=C |eval age=now() - lastTime | search age>3600
Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

aaronkorn
Splunk Employee
Splunk Employee
‎03-25-2015 05:15 AM

Try this and adjust your thresholds accordingly then create a search that alerts when it matches your alert criteria:

| tstats latest(_time) AS lastTime WHERE index=_internal OR index=_audit BY index | eval current=now() | eval age_min=round((current-lastTime)/60,2) | rangemap field=age_min default=severe low=0-30 elevated=30-60 | stats max(current) AS "Current Time" max(lastTime) AS "Latest Event" by range index age_min | convert ctime(*Time) ctime("Latest Event")  | rename  age_min AS "Communicated Minutes Ago"

View solution in original post

Reply
Solved! Jump to solution
Solution

aaronkorn
Splunk Employee
Splunk Employee
‎03-25-2015 05:15 AM

Try this and adjust your thresholds accordingly then create a search that alerts when it matches your alert criteria:

| tstats latest(_time) AS lastTime WHERE index=_internal OR index=_audit BY index | eval current=now() | eval age_min=round((current-lastTime)/60,2) | rangemap field=age_min default=severe low=0-30 elevated=30-60 | stats max(current) AS "Current Time" max(lastTime) AS "Latest Event" by range index age_min | convert ctime(*Time) ctime("Latest Event")  | rename  age_min AS "Communicated Minutes Ago"
Reply
Solved! Jump to solution

aaronkorn
Splunk Employee
Splunk Employee
‎03-24-2015 02:40 PM

Assuming you're on Splunk 6.x, something like the following should do the trick. Also, do you care about the index as a whole or the different sourcetypes within it?

| tstats latest(_time) AS lastTime WHERE index=A OR index=B OR index=C  BY host sourcetype index | eval current=now() | eval age_min=round((current-lastTime)/60,2) | rangemap field=age_min default=severe low=0-30 elevated=30-60 | stats max(current) AS "Current Time" values(sourcetype) AS Sourcetypes list(lastTime) AS "Latest Event" list(age_min) AS age_min list(range) AS Status by host | convert ctime(*Time) ctime("Latest Event")  | eventstats avg(age_min) AS avg_age by host | eval avg_age=round(avg_age,2) | sort - avg_age | rename  age_min AS "Communicated Minutes Ago" avg_age AS "Avg Communicated Minutes Ago"
0 Karma
Reply
Solved! Jump to solution

Pawlub1
Engager
‎06-28-2023 01:07 PM

I like the search, but what are we using as the trigger.

Typically, something like 'search count < 1' for a zero trigger

I tried 'Communicated Minutes Ago < 1' ,but that is not triggering the alert. 

Cheers, Paul

Tags (1)
0 Karma
Reply
Solved! Jump to solution

kestasm
Path Finder
‎03-25-2015 02:11 AM

Just the index as a whole.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...