Knowledge Management
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Re: How to list missing event types that don't mat...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sbarinov
Path Finder
06-05-2018
08:56 AM
Hello,
Is there a way in Splunk to get a list of event types which don't match any events in the defined period of time?
I only know how to do the opposite thing.
I need this to clean up irrelevant event types.
Thank you.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sbarinov
Path Finder
06-06-2018
01:28 AM
Thanks to all for the responses.
I've used the following search
| rest /services/saved/eventtypes | table title | rename title as eventtype | join type=left eventtype [search index="myindex" | stats count by eventtype] | eval count = if(isnull(count), 0, count) | sort -count
and got a list of all event types paired with an amount of corresponding events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sbarinov
Path Finder
06-06-2018
01:28 AM
Thanks to all for the responses.
I've used the following search
| rest /services/saved/eventtypes | table title | rename title as eventtype | join type=left eventtype [search index="myindex" | stats count by eventtype] | eval count = if(isnull(count), 0, count) | sort -count
and got a list of all event types paired with an amount of corresponding events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
06-06-2018
05:56 AM
great!
kindly accept your answer so others will know its a valid solution for you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
06-05-2018
11:45 AM
hello there,
here is an alternative to the lookup approach
this search capture all eventtypes in your splunk using rest:
| rest /services/saved/eventtypes
| table title
you can add couple fields to the search eai:acl.app search and outputlookup and used the approach shown above by @kmorris
set your time picker
and run the following to find which eventtypes are not being "used" in that particular time frame:
| set diff [ | search index = *
| stats count by eventtype
| fields - count ]
[| rest /services/saved/eventtypes
| table title
| rename title as eventtype ]
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kmorris_splunk
Splunk Employee
06-05-2018
10:49 AM
Check out this answers post. You would need some sort of lookup file that listed all of the event types. You would search the lookup as your base search with a subsearch of the events, where the common field (eventtype) is NOT in the search of the events.
Get Updates on the Splunk Community!
Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)
Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...
Operationalizing TDIR: Building a More Resilient, Scalable SOC
Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...
Almost Too Eventful Assurance: Part 1
Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...
