Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Monitor index activity

x3ncrypt
Loves-to-Learn Everything
‎01-12-2022 08:06 PM

Hi there, I would like to monitor indexes that have not been active for more than 24hrs+ and display the names of the indexes in a table as well as the last received activity. Thanks

Labels (3)
Labels
0 Karma
Reply

SinghK
Builder
‎01-12-2022 11:13 PM

| tstats latest(_time) as latest where index=* earliest=-24h by host,index | eval status = if(latest > relative_time(now(),"-23h"),"Success","Faliure"), Time = strftime(latest,"%c")|table host,Tindex,time,status

this will do 

or use apps in @isoutamo 's reply

Reply

johnhuang
Motivator
‎01-12-2022 11:19 PM

Mostly right, but you're going to miss index that is offline for 25h+.

Should search for a longer time span, something like this:

| tstats max(_time) AS _time WHERE earliest=-7d@d BY index
| where _time<now()-(24*3600)

0 Karma
Reply

x3ncrypt
Loves-to-Learn Everything
‎01-20-2022 09:10 PM

Is that the entire search string I will need to use? Thanks

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-20-2022 11:23 PM

Hi

based on @johnhuang SPL some modifications. If you want to check towards all indexes what you have defined on your indexers and don't want to get data from all time with tstats you should use this

| tstats max(_time) as _time where earliest=-1d@d by index 
| append 
    [| rest /services/data/indexes splunk_server=*
    | fields title 
    | rename title as index 
    | eval _time=0] 
| where _time<now()-(24*3600)

Just replace splunk_server=* with your indexers.

This just get list of your all indexes which are defined on indexers and then get events from the beginning of previous day.

r. Ismo 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-12-2022 11:00 PM

Hi

there are many apps which you can use for this. Here is some of those and other information about missing events.

There are a lot of options for finding hosts or sources that stop submitting events:
Meta Woot! https://splunkbase.splunk.com/app/2949/
TrackMe https://splunkbase.splunk.com/app/4621/
Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/
Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...Some helpful posts:
https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe
https://www.duanewaddle.com/proving-a-negative/

You could easily add alert based on those.

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...