topic Re: How to create an alert when searched index has no data in Splunk Search

How to create an alert when searched index has no data

dmws — Fri, 16 Aug 2019 19:00:45 GMT

I have the following search, and i want to be able to only show the indexes that have 0 data during a specified time frame.

index=_internal source=*license_usage.log type="Usage" 
| timechart count by idx span=1h

When I add | where count=0 or something similar it shows nothing.

Any example searches to show indexes that have no data and be able to set up an alert when that happens?

Re: How to create an alert when searched index has no data

mayurr98 — Fri, 16 Aug 2019 22:28:06 GMT

try this :

| eventcount summarize=false index=* 
| dedup index 
| fields index 
| rename index as idx 
| join type=left idx 
    [ search index=_internal source=*license_usage.log type="Usage" 
    | bin span=1d _time 
    | eval time=strftime(_time,"%Y-%d-%m") 
    | chart count over idx by time ]

let me know if this helps !

Re: How to create an alert when searched index has no data

woodcock — Sat, 17 Aug 2019 14:45:40 GMT

Like this:

index=_internal source=*license_usage.log type="Usage" 
| timechart count by idx span=1h
| untable _time idx count
| where count = 0

Re: How to create an alert when searched index has no data

dmws — Mon, 19 Aug 2019 17:28:40 GMT

It sort of works, but there are a lot of blank spaces under the counts for some indexes

Re: How to create an alert when searched index has no data

Sukisen1981 — Mon, 19 Aug 2019 17:34:07 GMT

blank space occurs where there is no count for a specific index. append |fillnull value=0 to the above query