Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- need to display indexes with no data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
need to display indexes with no data
i do not have access to the monitoring console, so trying to figure out a way to detect which indexes have data and which indexes dont.
Also if an index is receiving data, when was the last data received by the index.
when i try to use the metadata command is shows the data but do not list the indexes, also i would also like to list the indexes that do no have any data
my query is as below
| metadata type=sourcetypes index=index_* | rename totalCount as Count1 firstTime as "First_Event" lastTime as "Last_Event" recentTime as "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First_Event"=strftime('First_Event', "%c") | fieldformat "Last_Event"=strftime('Last_Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")
Sample results is
Count1 First_Event Last Update Last_Event sourcetype type
111111 ddd mmm x 17:31:49 yyyy ddd mmm 24 14:43:41 yyyy ddd mmm 24 14:43:34 yyyy nmb sourcetypes
222222 ddd mmm x 17:29:11 yyyy ddd mmm 24 14:43:41 yyyy ddd mmm 24 14:43:20 yyyy vfr sourcetypes
333333 ddd mmm x 08:56:47 yyyy ddd mmm 24 14:51:58 yyyy ddd mmm 24 14:47:06 yyyy xyz sourcetypes
444444 ddd mmm x 12:52:57 yyyy ddd mmm 24 14:51:50 yyyy ddd mmm 24 14:50:32 yyyy abc sourcetypes
555555 ddd mmm x 13:35:11 yyyy ddd mmm 24 14:51:09 yyyy ddd mmm 24 14:51:07 yyyy qwe sourcetypes
i would line another column for index, if the index has no data then in the other columns (such as count, first_event, Last_event, etc) it should show Null or NA.
would like to see the output as below
Count1 First_Event Last Update Last_Event sourcetype type index
111111 ddd mmm x 17:31:49 yyyy ddd mmm 24 14:43:41 yyyy ddd mmm 24 14:43:34 yyyy nmb sourcetypes index1
222222 ddd mmm x 17:29:11 yyyy ddd mmm 24 14:43:41 yyyy ddd mmm 24 14:43:20 yyyy vfr sourcetypes index2
333333 ddd mmm x 08:56:47 yyyy ddd mmm 24 14:51:58 yyyy ddd mmm 24 14:47:06 yyyy xyz sourcetypes index3
444444 ddd mmm x 12:52:57 yyyy ddd mmm 24 14:51:50 yyyy ddd mmm 24 14:50:32 yyyy abc sourcetypes index3
555555 ddd mmm x 13:35:11 yyyy ddd mmm 24 14:51:09 yyyy ddd mmm 24 14:51:07 yyyy qwe sourcetypes index4
NULL NULL NULL NULL NULL NULL index5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi. Why not simply try this:
index=*
| stats latest(_time) as latestTime earliest(_time) as earliestTime count by index
| eval latestTime=strftime(latestTime,"%x %X")|eval earliestTime=strftime(earliestTime,"%x %X")
It comes from here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use the | dbinspect command
read here:
https://docs.splunk.com/Documentation/SplunkCloud/7.0.0/SearchReference/Dbinspect
Community Content Calendar, November Edition
October Community Champions: A Shoutout to Our Contributors!
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
