Detect Dying Sourcetypes

This alert is used for looking at a prior dataset of indexes and sourcetypes reporting over time, and then involves pairing to a closer, temporal dataset. Appending the results allows you to view sourcetypes that have stopped reporting, but existed in the prior period.

 

Share This:

Comments

  1. Andre Tucker

    Wouldn’t the metadata command be better for this? It’s much faster imo. The only thing is it breaks things out only by sourcetype or host but not index. However, using a subsearch to add the index in could be done with the metasearch command which is also pretty quick and neither of these commands rely on data models being correct or accelerated.

Leave A Comment?