search query to detect if soutceCategory is collecting data

Follow
Avatar
David Filippelli
Want to create a search/alert if a certain sourceCategory is collecting data. Example My app logs have not been sending data for 5 days. If I could search the sourceCategory (Dev/applogs)for the last 15 mins and if I don't get anything or if time stamp is old then trigger.
0

Comments

1 comment

Sort by Date Votes
  • Avatar
    Jeff Holland
    I do this by running a scheduled query every 60min that looks at the last 60min worth of data. If the result from the query (using 1min timeslices) is equal to 0, it alerts me via a webhook. Query (edit as necessary): _sourcecategory= | timeslice by 1m| count by _timeslice,_sourcehost | where _sourcehost matches "your_sourceHost_name"| sort + _timeslice | where _count > 0 Schedule settings: Screen Shot 2016-10-31 at 1.05.44 PM
    1
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post