Running Splunk Enterprise 6.3.x (and 6.4.4 as well, same story). I want to alert when we see syslog messages start coming in with IP addresses instead of hostnames, indicating a possible DNS resolution issue. I use the following search:
| tstats count where index=* by host | regex host="(?:\d{1,3}\.){3}\d{1,3}"
Works great! But I can't get an alert to trigger. The search returns statistics, but no events... what do I need to do for the trigger condition? I've tried all the available choices. Number of results, number of hosts, number of sources. Haven't found the magic words for custom either.
↧