Trigger an alert if data is not coming to an index
Every one of us knows how awesome the Splunk is at analysis and visualization of indexed data, but what if all of a sudden data stops coming to any of your indexes, how will you know what is happening behind your back or for how long the data didn’t come to your index? are you going to be relaxed, when you come to know after a manual intervention that data was not coming to your index from the past hours/days? The problem gets even more dramatic if you are using the data from this index for real-time reports/visualizations.
We have come up with a very simple solution related to this, after seeing this you will realize how effective even the small SPL queries can become sometimes. Just 3 steps.
Say, we have an index “test_index” for which we want to set an alert if data is not coming to it from the past 2 hours.
The query is pretty short and simple, but does the miracle!!!
index="test_index" earliest=-2h latest=now | stats count
Step 1 ) Replace the “test_index” with your index name and the values of earliest and latest in accordance with your requirement, and you are ready to go.
Step 2 ) Click on the Save As option and select Alert, you’ll get an alert creation pop up as shown below:
Step 3) Fill the alert form and do the necessary changes as shown in the picture above.
That’s it! you have successfully set an alert for your index, it will trigger whenever it is not getting any data from the specified duration.
Thanks, for your visit.
Happy Splunking!!
