Hi,
Just wondering if someone knows how to be alerted if a host hasn't sent any logs in 10 minutes?
I've only seen examples where entire indexes haven't received any events, but I want to be able to detect individual hosts.
Thanks
hey,
a possibility would be to run a query from now till now-20m and then have two aggregations, that each aggregate on the hostname, however one is filtered on now till now-10m and the other from now-10m till now-20m. Then you could compare those buckets for missing hosts.
Hope this helps to give you an idea.
--Alex
Ah good idea! I'll give it a go and post the alert once I have it working!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.