Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Host not sending logs for x days

_internal

Description

Submitted by pradeep577

This Splunk Query will show hosts that stopped sending logs for at least 48 hours. You'll want to change the time range to be relevant to your environment, and you may need to tweak the 48 hour range to something that is more appropriate for your environment.
6 1 
| tstats count as countAtToday latest(_time) as lastTime where index!="*_" by host sourcetype index 
| eval age=now()-lastTime 
| sort age d 
| fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S") 
| eval age=round((age/60/60),1) 
| search age>=48 
| eval age=age."hour" 
| dedup host

Comments

0 total

Be the first to comment on this SPL.

Leave a comment

You must log in to post a comment.

Ad slot: bottom