Splunk Search

Get the difference between strings

thirumaleshsplu
Explorer

Hello All,

My Goal: I need to create a dashboard with multiple panels.

Panel 1 would be total number of indexes reporting Splunk.

command: | tstats count where index=* by index | where count<=0

This is posting the results. 

 

Panel 2 would be total number of indexes, which doesn't have the data

command: | tstats count where index=* by index | where count>=1 | stats count

 

Need help on this:

Panel 3 would be the difference between the total old indexes name (last 3 months) total new indexes if we created any in last 24 hours.

So this should gives me the any new index created in last 24 hours, which I need to update to my security group. 

Since I am doing for 3 months I would like to use lighting command such as "tstats" command. 

Appreciate your help. 

@manjunathmeti  @to4kawa @woodcock  @richgalloway 

Labels (1)
Tags (3)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

This command will show you those indexes that ONLY have data today over the time period you search on.

It won't guarantee that the index has been created today, but at least might be good enough for you.

| tstats count where index=* by index _time span=1d
| stats count as days latest(_time) as _time by index
| where days=1 AND _time=relative_time(now(),"@d")

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

This command will show you those indexes that ONLY have data today over the time period you search on.

It won't guarantee that the index has been created today, but at least might be good enough for you.

| tstats count where index=* by index _time span=1d
| stats count as days latest(_time) as _time by index
| where days=1 AND _time=relative_time(now(),"@d")

thirumaleshsplu
Explorer

My goal is to get the newly created indexes over last 24 hours and indexes with zero events for last 30 days. Is there better way for me.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

What you are doing is good enough - there are some minor optimisations you can do to use a base search for all 3 panels, e.g. the base search and searches for the 3 panels could look like this

<search id="base_tstats">
  <query>
| tstats count where index=* by index _time span=1d
  </query>
</search>

<search base="base_tstats">
  <query>
| stats sum(count) as events by index
| where events=0
  </query>
</search>

<search base="base_tstats">
  <query>
| stats sum(count) as events by index
| where events>0
  </query>
</search>

<search base="base_tstats">
  <query>
| stats count as days latest(_time) as _time by index
| where days=1 AND _time=relative_time(now(),"@d")
  </query>
</search>

One way to check for manual index creation is to look in the audit log, but I'm not sure what happens when you edit indexes.conf and restart or what happens in a clustered environment, but you could check that if you really need to know about true creations as opposed to assumed creations.

 

index=_audit operation=create action=indexes_edit

 

Audit:[timestamp=03-30-2021 21:11:42.415, user=userrname, action=indexes_edit, info=granted object="index_name" operation=create][n/a]

 

richgalloway
SplunkTrust
SplunkTrust

It's not clear what changes you wish to detect, but the current query is unlikely to help.  The set command does not show which set is different - it merely shows the difference.

If you can describe the use case in more detail then perhaps someone can help.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...