Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitor index activity

x3ncrypt
Loves-to-Learn Everything
‎01-12-2022 08:06 PM

Hi there, I would like to monitor indexes that have not been active for more than 24hrs+ and display the names of the indexes in a table as well as the last received activity. Thanks

Labels (3)
Labels
0 Karma
Reply

SinghK
Builder
‎01-12-2022 11:13 PM

| tstats latest(_time) as latest where index=* earliest=-24h by host,index | eval status = if(latest > relative_time(now(),"-23h"),"Success","Faliure"), Time = strftime(latest,"%c")|table host,Tindex,time,status

this will do 

or use apps in @isoutamo 's reply

Reply

johnhuang
Motivator
‎01-12-2022 11:19 PM

Mostly right, but you're going to miss index that is offline for 25h+.

Should search for a longer time span, something like this:

| tstats max(_time) AS _time WHERE earliest=-7d@d BY index
| where _time<now()-(24*3600)

0 Karma
Reply

x3ncrypt
Loves-to-Learn Everything
‎01-20-2022 09:10 PM

Is that the entire search string I will need to use? Thanks

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-20-2022 11:23 PM

Hi

based on @johnhuang SPL some modifications. If you want to check towards all indexes what you have defined on your indexers and don't want to get data from all time with tstats you should use this

| tstats max(_time) as _time where earliest=-1d@d by index 
| append 
    [| rest /services/data/indexes splunk_server=*
    | fields title 
    | rename title as index 
    | eval _time=0] 
| where _time<now()-(24*3600)

Just replace splunk_server=* with your indexers.

This just get list of your all indexes which are defined on indexers and then get events from the beginning of previous day.

r. Ismo 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-12-2022 11:00 PM

Hi

there are many apps which you can use for this. Here is some of those and other information about missing events.

There are a lot of options for finding hosts or sources that stop submitting events:
Meta Woot! https://splunkbase.splunk.com/app/2949/
TrackMe https://splunkbase.splunk.com/app/4621/
Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/
Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...Some helpful posts:
https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe
https://www.duanewaddle.com/proving-a-negative/

You could easily add alert based on those.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...