Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to list missing event types that don't match any events in the defined period of time?

sbarinov
Path Finder
‎06-05-2018 08:56 AM

Hello,

Is there a way in Splunk to get a list of event types which don't match any events in the defined period of time?
I only know how to do the opposite thing.
I need this to clean up irrelevant event types.

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sbarinov
Path Finder
‎06-06-2018 01:28 AM

Thanks to all for the responses.
I've used the following search

| rest /services/saved/eventtypes | table title | rename title as eventtype | join type=left eventtype [search index="myindex" | stats count by eventtype] | eval count = if(isnull(count), 0, count) | sort -count

and got a list of all event types paired with an amount of corresponding events.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sbarinov
Path Finder
‎06-06-2018 01:28 AM

Thanks to all for the responses.
I've used the following search

| rest /services/saved/eventtypes | table title | rename title as eventtype | join type=left eventtype [search index="myindex" | stats count by eventtype] | eval count = if(isnull(count), 0, count) | sort -count

and got a list of all event types paired with an amount of corresponding events.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎06-06-2018 05:56 AM

great!
kindly accept your answer so others will know its a valid solution for you

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎06-05-2018 11:45 AM

hello there,

here is an alternative to the lookup approach
this search capture all eventtypes in your splunk using rest:

| rest /services/saved/eventtypes
| table title

you can add couple fields to the search eai:acl.app search and outputlookup and used the approach shown above by @kmorris

set your time picker
and run the following to find which eventtypes are not being "used" in that particular time frame:

  | set diff [ | search index = * 
    | stats count by eventtype 
    | fields - count ]
    [| rest /services/saved/eventtypes
    | table title 
    | rename title as eventtype ]

hope it helps

Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-05-2018 10:49 AM

Check out this answers post. You would need some sort of lookup file that listed all of the event types. You would search the lookup as your base search with a subsearch of the events, where the common field (eventtype) is NOT in the search of the events.

Answers post

Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top