SOC Experts Community - Beta
0 like 0 dislike
in SOC by (4.1k points)

1 Answer

0 like 0 dislike
by (180 points)

By failed I assume the logs are not being sent to Splunk.

You can create an alert for the same considering the last time you received logs from that particular source type/host.

There is a command - metadata which can be used for this purpose.

Metadata gives you the first/last/recent events that were seen for the host/source/ source type that you specify.

It would look something like this:

| metadata type=sourcetypes index="xyz" 

Result :

firstTime    lastTime     recentTime        sourcetype    

1561540299 1563419672 1563419673  ActiveD

1561544581 1563419705 1563419705 win

 You can just convert the time and subtract it with the present time.
 This works. You can refer: for better understanding.

SOC Experts - No. 1 Job Oriented Cybersecurity Training Program

View our Courses