Solved: Re: How to determine if the log is missing

xsstest · ‎06-07-2017

there are many hosts in an indexer. How do I check if the log is missing?

If a host does not have a log Within an hour, I think it's a log loss

If a host log is lost, I need to find it and remind me.

How does the SPL statement write?

inventsekar · ‎06-07-2017

Hi..
You can create an Alert for this task... and you can add an email notification.
The search query -

index=IndexName host=hostname.com source=/app/Java/1hr.log

and save this as an alert, and add an action for "Send email"

inventsekar · ‎06-07-2017

Hi..
You can create an Alert for this task... and you can add an email notification.
The search query -

index=IndexName host=hostname.com source=/app/Java/1hr.log

and save this as an alert, and add an action for "Send email"

xsstest · ‎06-07-2017

Do I need to set up an alert for each host?

inventsekar · ‎06-07-2017

no need to setup for each host. you can get a list of all hosts that are not connected/sent events for last 1hr, 24hrs, etc.
do you want alerts depending on host or depending on host plus the exact logfile?

The following search will alert you if there are any hosts that haven't sent any data for more than one hour (3600 seconds)

compare last event's time to now

 |metadata type=hosts | eval since=now()-lastTime | search since>3600 |...

OR

 # compare indexer's time when last event came to now

 |metadata type=hosts | eval since=now()-recentTime| search since>3600 |...

How to determine if the log is missing