Tried the above string and not working - here is the response from Splunk - which their strings also do not work....
Hard to believe that deployment monitor is legacy and not going to be updated? Why would you dump support for a good app?
Hi John,
This appears to be a known bug in deployment monitor. Unfortunately deployment monitor is now a legacy app that is no longer supported for bug fixes.
What one can do is take a look at the underlying query by clicking on "inspect":
search index="_internal" source="*license_usage.lo*" type!=*Summary | eval lastReceived = _time | rename s as source st as mysourcetype h as host b as bytes o as originator | eval my_splunk_server = splunk_server | fields lastReceived source mysourcetype host bytes pool originator my_splunk_server source | stats sum(bytes) as bytes max(lastReceived) as lastReceived by mysourcetype | append [search earliest=@d index="_internal" source="*license_usage.lo*" type!=*Summary | eval lastReceived = _time | rename s as source st as mysourcetype h as host b as bytes o as originator | eval my_splunk_server = splunk_server | fields lastReceived source mysourcetype host bytes pool originator my_splunk_server source | stats sum(bytes) as bytes max(lastReceived) as lastReceived by mysourcetype | rename bytes as bytes_today ] | stats max(bytes) as bytes max(lastReceived) as lastReceived max(bytes_today) as bytes_today by mysourcetype | eval status = if(isnull(bytes) or lastConnected<(lastReceived-900),"missing","active") | search status="missing" | sort -lastReceived | fields mysourcetype lastReceived bytes status | rename lastReceived as "Last Connected" mysourcetype as "Sourcetype" bytes as "Bytes" status as "Status"
You could try to convert the Last Connected field to realtime by adding the following pipe to the end of the above search:
| convert ctime("Last Connected")
Then save that search query as an alert, and see if the email shows in realtime.
Be aware this is just a sample query that is unsupported. It is just to give you an idea of some workaround options. Also know that the time reported in the email will not conform to users that are of varying timezones. We suggest you experiment and see what works for you. If you have questions about creating your own queries you can post them on answers.splunk.com.
Please let us know if this answers your question.
Regards,
Splunk Support
... View more