Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparing the sourcetypes between certain period.

udayk1
Path Finder
‎05-13-2014 03:21 AM

I have a concern here, the requirement for me is to get a list of sourcetypes which are not sending logs from last 1month (say) and I have tried to take the list of last month active sourcetypes and this month, post on which I would do a 'vlookup' in the excel.
Yes, I agree this is manual, but the comparison is possible n Splunk as a query?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎05-13-2014 03:51 AM

Hi udayk1,

you can do this very easy in Splunk using the timewrap command. Take this run everywhere search command which compares the event counts for sourcetype=splunkd_access over the last 4 weeks:

index=_internal sourcetype=splunkd_access earliest=-3w@w | timechart count by sourcetype | timewrap w

Regarding your use case, a non-active sourcetype would be on this chart with count 0 if it stopped producing events within the last 4 weeks. If the sourcetype stopped 5 or 6 weeks ago you will have to extend the time range from weeks to month.

hope this helps to get you started ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎05-13-2014 03:51 AM

Hi udayk1,

you can do this very easy in Splunk using the timewrap command. Take this run everywhere search command which compares the event counts for sourcetype=splunkd_access over the last 4 weeks:

index=_internal sourcetype=splunkd_access earliest=-3w@w | timechart count by sourcetype | timewrap w

Regarding your use case, a non-active sourcetype would be on this chart with count 0 if it stopped producing events within the last 4 weeks. If the sourcetype stopped 5 or 6 weeks ago you will have to extend the time range from weeks to month.

hope this helps to get you started ...

cheers, MuS

Reply
Solved! Jump to solution

linu1988
Champion
‎05-13-2014 05:19 AM

|metadata type=sourcetypes index=fmo*|where recentTime < now()-2592000|convert ctime(*Time)

before convert just use a where condition to check your requirement

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...