Knowledge Management

How to list missing event types that don't match any events in the defined period of time?

sbarinov
Path Finder

Hello,

Is there a way in Splunk to get a list of event types which don't match any events in the defined period of time?
I only know how to do the opposite thing.
I need this to clean up irrelevant event types.

Thank you.

0 Karma
1 Solution

sbarinov
Path Finder

Thanks to all for the responses.
I've used the following search

| rest /services/saved/eventtypes | table title | rename title as eventtype | join type=left eventtype [search index="myindex" | stats count by eventtype] | eval count = if(isnull(count), 0, count) | sort -count

and got a list of all event types paired with an amount of corresponding events.

View solution in original post

0 Karma

sbarinov
Path Finder

Thanks to all for the responses.
I've used the following search

| rest /services/saved/eventtypes | table title | rename title as eventtype | join type=left eventtype [search index="myindex" | stats count by eventtype] | eval count = if(isnull(count), 0, count) | sort -count

and got a list of all event types paired with an amount of corresponding events.

0 Karma

adonio
Ultra Champion

great!
kindly accept your answer so others will know its a valid solution for you

0 Karma

adonio
Ultra Champion

hello there,

here is an alternative to the lookup approach
this search capture all eventtypes in your splunk using rest:

| rest /services/saved/eventtypes
| table title 

you can add couple fields to the search eai:acl.app search and outputlookup and used the approach shown above by @kmorris

set your time picker
and run the following to find which eventtypes are not being "used" in that particular time frame:

  | set diff [ | search index = * 
    | stats count by eventtype 
    | fields - count ]
    [| rest /services/saved/eventtypes
    | table title 
    | rename title as eventtype ]

hope it helps

kmorris_splunk
Splunk Employee
Splunk Employee

Check out this answers post. You would need some sort of lookup file that listed all of the event types. You would search the lookup as your base search with a subsearch of the events, where the common field (eventtype) is NOT in the search of the events.

Answers post

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...