Splunkers,
To meet a regulatory requirement, I need to alert on if a syslog device does NOT send data to the Indexers in a 24 hour period.
For example:
If host splunk1 does send data, no alert needs to be generated.
If host splunk2 does NOT send data, and alert must be generated.
This alert needs to have a hostname.
We are leveraging Nexpose to send a synthetic transaction to devices such as Cisco ACS switches.
Search example:
index=network message_text="Login failed for user SynTran01 - sshd" | stats count by host
This search string returns a count of 16 and it will always be 16 for this specific devices type.
Any advice would be greatly appreciated.
↧