Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to find the name of each server that has not reported in the last 4 hours?

tenyang
New Member
‎06-03-2015 06:38 PM

Hi all,

I am a new one to splunk. Now i am facing some problem to get the data as I want.
I have more than 250 servers forwarding data to splunk, and the events are updated every hour as a group. For example, each server will sent the total number of interaction for the last hour. now I want to find every server name which has not sent data for the last 4 hours.
When I search the event, if there is no data sending, then the server name will not display after search, so I can't get them. My question is how can I get all server names and then find out those who are no longer sending. Please kindly help me on this.
My base search: 

 interaction_count="*" LIVE| eval date = strftime(_time, "%Y-%m-%d")| stats sum(interaction_count) as sum_interaction_count by mount_name, date

Thanks in advance~~~

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-04-2015 06:32 AM

Run something like this every hour for the last 24 hours as an Alert:

.... | stats latest(_time) AS lastReportTime BY mount_name | eval silenceSeconds = now() - lastReportTime | where silenceSeconds > 14400

View solution in original post

Reply
Solved! Jump to solution

stephanefotso
Motivator
‎06-04-2015 07:05 AM

Here you go!

interaction_count="*" LIVE|bucket _time span=4h| eval date = strftime(_time, "%Y-%m-%d")| stats sum(interaction_count) as sum_interaction_count by mount_name, date|where sum_interaction_count=0
SGF
0 Karma
Reply
Solved! Jump to solution

tenyang
New Member
‎06-04-2015 11:05 PM

Thanks for your help Stephanefotso.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-04-2015 06:32 AM

Run something like this every hour for the last 24 hours as an Alert:

.... | stats latest(_time) AS lastReportTime BY mount_name | eval silenceSeconds = now() - lastReportTime | where silenceSeconds > 14400
Reply
Solved! Jump to solution

tenyang
New Member
‎06-04-2015 11:04 PM

Thanks so much Woodcock, it works!!

0 Karma
Reply
Solved! Jump to solution

tenyang
New Member
‎06-03-2015 06:43 PM

One thing need mention is that, if there is no interaction in 1 hour, it still send a event, but the sum(interaction_count) is 0. Now I want to find out no data reporting screen, which shows blank not 0 if we show one day event by hour.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...