Hi Splunkers,
How do I calculate the logging frequency of my index=xxx sourcetype=yyy host=zzz?
Explanation: I have a different set of logs which sends logs with different frequency, some of them send every minute/hour and some of them send the logs once a day. so basically logging frequency is not fixed, it's dynamic.
I'm trying to find out a way to alert if a particular index=xxx sourcetype=yyy host=zzz stops sending logs, I want a dynamic way of calculating the frequency threshold wherein I can say (now()-last_event_time) > threshold, I don't want to use something like which is basically find the difference between the last event time VS the current and some random threshold.
**I want Splunk to tell the ideal threshold for my index,sourcetype and host combination.**
For example; A particular logs from index=a host=b sourceype=c logs once in a day, so here I want Splunk to tell 1day or 24 hours as the threshold to set for an alert.
another example, a particular logs from index=g sourcetype=h host=i logs every 4.5 hours, so, in this case, Splunk to give the threshold as ~4.5 hours
**so using this I can set an alert like (now()-last_event_time) > threshold**
Thanks in advance.
Happy Splunking.
↧