- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Alert for when new index/sourcetype is created
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What’s a good search query I can use to notify me any time a new index or sourcetype is created with a 7 day range.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
partial answer here, indexes first.
here is how to check if an index was created, note: did not check in indexer cluster configuration but i assume its the same or close
index = _audit action=indexes_edit info=granted operation=create
| stats values(object) as new_index_created by _time splunk_server
| rename _time as creation_time splunk_server as indexer
as for sourcetype,
you can use the |metadata type=sourcetypes maybe with | outputslookup command to generate a lookup of sourcetype names and the last time they were seen by splunk and than have a search to run against new data and match to existing lookup table to see if there are any new sourcetypes
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
partial answer here, indexes first.
here is how to check if an index was created, note: did not check in indexer cluster configuration but i assume its the same or close
index = _audit action=indexes_edit info=granted operation=create
| stats values(object) as new_index_created by _time splunk_server
| rename _time as creation_time splunk_server as indexer
as for sourcetype,
you can use the |metadata type=sourcetypes maybe with | outputslookup command to generate a lookup of sourcetype names and the last time they were seen by splunk and than have a search to run against new data and match to existing lookup table to see if there are any new sourcetypes
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Adonio,
Thanks for your response, but I'm looking for a way to identify when new data is added to splunk. For example lets say sourcefire data is added and a new index called index=sourcefire is created. How can I get an alert when something new is added to splunk?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please refer back to the answer, the search above tells you when a new index was configured.
for sourcetypes, you can use the I metadata type=sourcetype command.
try it and see the result. you can capture a new sourcetype by the first and last field values that this command genarates
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can use | rest /services/data/indexes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That just give me a list of index, I’m looking for a search that will give me a list of new index created in the last 7 days
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
on the indexer run:
tail -f /opt/splunk/var/log/splunk/splunkd.log | grep index_name
then create and index and catch the log line, and you should find this log on _internal index
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
