Splunk Search

Get the difference between strings

thirumaleshsplu
Explorer

Hello All,

My Goal: I need to create a dashboard with multiple panels.

Panel 1 would be total number of indexes reporting Splunk.

command: | tstats count where index=* by index | where count<=0

This is posting the results. 

 

Panel 2 would be total number of indexes, which doesn't have the data

command: | tstats count where index=* by index | where count>=1 | stats count

 

Need help on this:

Panel 3 would be the difference between the total old indexes name (last 3 months) total new indexes if we created any in last 24 hours.

So this should gives me the any new index created in last 24 hours, which I need to update to my security group. 

Since I am doing for 3 months I would like to use lighting command such as "tstats" command. 

Appreciate your help. 

@manjunathmeti  @to4kawa @woodcock  @richgalloway 

Labels (1)
Tags (3)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

This command will show you those indexes that ONLY have data today over the time period you search on.

It won't guarantee that the index has been created today, but at least might be good enough for you.

| tstats count where index=* by index _time span=1d
| stats count as days latest(_time) as _time by index
| where days=1 AND _time=relative_time(now(),"@d")

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

This command will show you those indexes that ONLY have data today over the time period you search on.

It won't guarantee that the index has been created today, but at least might be good enough for you.

| tstats count where index=* by index _time span=1d
| stats count as days latest(_time) as _time by index
| where days=1 AND _time=relative_time(now(),"@d")

thirumaleshsplu
Explorer

My goal is to get the newly created indexes over last 24 hours and indexes with zero events for last 30 days. Is there better way for me.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

What you are doing is good enough - there are some minor optimisations you can do to use a base search for all 3 panels, e.g. the base search and searches for the 3 panels could look like this

<search id="base_tstats">
  <query>
| tstats count where index=* by index _time span=1d
  </query>
</search>

<search base="base_tstats">
  <query>
| stats sum(count) as events by index
| where events=0
  </query>
</search>

<search base="base_tstats">
  <query>
| stats sum(count) as events by index
| where events>0
  </query>
</search>

<search base="base_tstats">
  <query>
| stats count as days latest(_time) as _time by index
| where days=1 AND _time=relative_time(now(),"@d")
  </query>
</search>

One way to check for manual index creation is to look in the audit log, but I'm not sure what happens when you edit indexes.conf and restart or what happens in a clustered environment, but you could check that if you really need to know about true creations as opposed to assumed creations.

 

index=_audit operation=create action=indexes_edit

 

Audit:[timestamp=03-30-2021 21:11:42.415, user=userrname, action=indexes_edit, info=granted object="index_name" operation=create][n/a]

 

richgalloway
SplunkTrust
SplunkTrust

It's not clear what changes you wish to detect, but the current query is unlikely to help.  The set command does not show which set is different - it merely shows the difference.

If you can describe the use case in more detail then perhaps someone can help.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...