Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How does the Manager generate index data?

williamsweat
Path Finder
‎05-18-2011 07:22 PM

Hello,

Is there a way to create an index alert based on when the last event was received? I see the values I want to check in the Manager > Indexes, but I don't know of an effective way to create a similar search that doesn't have a noticeable performance impact (index=* based searches has a performance impact)

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Masa
Splunk Employee
Splunk Employee
‎05-18-2011 08:46 PM

Please try the following search with a small time range, such as Last 15 min;


| dbinspect index=main
| convert timeformat="%m/%d/%Y:%H:%M:%S" mktime(latestTime) AS Last
| eval Diff=now()-Last
| table latestTime Diff Last
| where Diff > 0

Change the threshod in where command, and set the condition to kick your alert.

For more information about each search command, please visit:
http://www.splunk.com/base/Documentation/latest/SearchReference/WhatsInThisManual

View solution in original post

Reply
Solved! Jump to solution

williamsweat
Path Finder
‎05-19-2011 11:08 AM

Thanks! This helps immensely (completely glazed over the dbinspect). Gkanapathy, when I try that command, the results are done serially; it stops at the first index and doesn't continue to the others (also tried index=*)

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-19-2011 12:43 PM

oh I didn't know you wanted results per index, i though you just wanted the most recent item overall. note that you can also use the |metadata type=sourcetypes command and filter on that output too. dbinspect is probably better for index-level data though.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-18-2011 10:00 PM

You could also do a realtime alert:

index=x OR index=y OR index=z | head 1 | eval d=now()-_time | where d<120

and alert when there are zero results would give you what you need efficiently if you want to be alerted when there wasn't anything for the past two minutes.

Reply
Solved! Jump to solution
Solution

Masa
Splunk Employee
Splunk Employee
‎05-18-2011 08:46 PM

Please try the following search with a small time range, such as Last 15 min;


| dbinspect index=main
| convert timeformat="%m/%d/%Y:%H:%M:%S" mktime(latestTime) AS Last
| eval Diff=now()-Last
| table latestTime Diff Last
| where Diff > 0

Change the threshod in where command, and set the condition to kick your alert.

For more information about each search command, please visit:
http://www.splunk.com/base/Documentation/latest/SearchReference/WhatsInThisManual

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...