Find results that appears in a % of the cases and ...

felipesodre · ‎06-29-2021

Hi there,

First of all, thank you for any comment.

I am looking for a way to identify if I have any index missing across databases in my environment.

So, I am logging in Splunk all indexes I have across the environment and the results looks like as following:

[
{
"indexrelname":" index_1",
"table":" tb_1",
"database":"db_a"
},
{
"indexrelname":" index_2",
"table":" tb_2",
"database":"db_a"
},
{
"indexrelname":" index_1",
"table":" tb_1",
"database":"db_b"
},
{
"indexrelname":" index_2",
"table":" tb_2",
"database":"db_b"
},
{
"indexrelname":" index_1",
"table":" tb_1",
"database":"db_c"
},
Missing index_2 tb_2 here...
]

So, as an example I would like to find the missing index "index_2" on the table "tb_2" on database "db_c".

The result would be a table of missing index:

database | table | indexrelname

db_c | tb_2 | index_2

Does anyone able to help ?

richgalloway · ‎06-30-2021

Finding something that is not there is not Splunk's strong suit. See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, Karma would be appreciated.

Find results that appears in a % of the cases and list the outliers

fields

other

table

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?