Splunk Search

Get the difference between strings

thirumaleshsplu
Explorer

Hello All,

My Goal: I need to create a dashboard with multiple panels.

Panel 1 would be total number of indexes reporting Splunk.

command: | tstats count where index=* by index | where count<=0

This is posting the results. 

 

Panel 2 would be total number of indexes, which doesn't have the data

command: | tstats count where index=* by index | where count>=1 | stats count

 

Need help on this:

Panel 3 would be the difference between the total old indexes name (last 3 months) total new indexes if we created any in last 24 hours.

So this should gives me the any new index created in last 24 hours, which I need to update to my security group. 

Since I am doing for 3 months I would like to use lighting command such as "tstats" command. 

Appreciate your help. 

@manjunathmeti  @to4kawa @woodcock  @richgalloway 

Labels (1)
Tags (3)
0 Karma
1 Solution

bowesmana
Champion

This command will show you those indexes that ONLY have data today over the time period you search on.

It won't guarantee that the index has been created today, but at least might be good enough for you.

| tstats count where index=* by index _time span=1d
| stats count as days latest(_time) as _time by index
| where days=1 AND _time=relative_time(now(),"@d")

View solution in original post

bowesmana
Champion

This command will show you those indexes that ONLY have data today over the time period you search on.

It won't guarantee that the index has been created today, but at least might be good enough for you.

| tstats count where index=* by index _time span=1d
| stats count as days latest(_time) as _time by index
| where days=1 AND _time=relative_time(now(),"@d")

View solution in original post

thirumaleshsplu
Explorer

My goal is to get the newly created indexes over last 24 hours and indexes with zero events for last 30 days. Is there better way for me.

0 Karma

bowesmana
Champion

What you are doing is good enough - there are some minor optimisations you can do to use a base search for all 3 panels, e.g. the base search and searches for the 3 panels could look like this

<search id="base_tstats">
  <query>
| tstats count where index=* by index _time span=1d
  </query>
</search>

<search base="base_tstats">
  <query>
| stats sum(count) as events by index
| where events=0
  </query>
</search>

<search base="base_tstats">
  <query>
| stats sum(count) as events by index
| where events>0
  </query>
</search>

<search base="base_tstats">
  <query>
| stats count as days latest(_time) as _time by index
| where days=1 AND _time=relative_time(now(),"@d")
  </query>
</search>

One way to check for manual index creation is to look in the audit log, but I'm not sure what happens when you edit indexes.conf and restart or what happens in a clustered environment, but you could check that if you really need to know about true creations as opposed to assumed creations.

 

index=_audit operation=create action=indexes_edit

 

Audit:[timestamp=03-30-2021 21:11:42.415, user=userrname, action=indexes_edit, info=granted object="index_name" operation=create][n/a]

 

richgalloway
SplunkTrust
SplunkTrust

It's not clear what changes you wish to detect, but the current query is unlikely to help.  The set command does not show which set is different - it merely shows the difference.

If you can describe the use case in more detail then perhaps someone can help.

---
If this reply helps you, an upvote would be appreciated.
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!