- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- How to list missing event types that don't match a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Is there a way in Splunk to get a list of event types which don't match any events in the defined period of time?
I only know how to do the opposite thing.
I need this to clean up irrelevant event types.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to all for the responses.
I've used the following search
| rest /services/saved/eventtypes | table title | rename title as eventtype | join type=left eventtype [search index="myindex" | stats count by eventtype] | eval count = if(isnull(count), 0, count) | sort -count
and got a list of all event types paired with an amount of corresponding events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to all for the responses.
I've used the following search
| rest /services/saved/eventtypes | table title | rename title as eventtype | join type=left eventtype [search index="myindex" | stats count by eventtype] | eval count = if(isnull(count), 0, count) | sort -count
and got a list of all event types paired with an amount of corresponding events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
great!
kindly accept your answer so others will know its a valid solution for you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
here is an alternative to the lookup approach
this search capture all eventtypes in your splunk using rest:
| rest /services/saved/eventtypes
| table title
you can add couple fields to the search eai:acl.app search and outputlookup and used the approach shown above by @kmorris
set your time picker
and run the following to find which eventtypes are not being "used" in that particular time frame:
| set diff [ | search index = *
| stats count by eventtype
| fields - count ]
[| rest /services/saved/eventtypes
| table title
| rename title as eventtype ]
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check out this answers post. You would need some sort of lookup file that listed all of the event types. You would search the lookup as your base search with a subsearch of the events, where the common field (eventtype) is NOT in the search of the events.
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
