Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How does the Manager generate index data?

williamsweat
Path Finder
‎05-18-2011 07:22 PM

Hello,

Is there a way to create an index alert based on when the last event was received? I see the values I want to check in the Manager > Indexes, but I don't know of an effective way to create a similar search that doesn't have a noticeable performance impact (index=* based searches has a performance impact)

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Masa
Splunk Employee
Splunk Employee
‎05-18-2011 08:46 PM

Please try the following search with a small time range, such as Last 15 min;


| dbinspect index=main
| convert timeformat="%m/%d/%Y:%H:%M:%S" mktime(latestTime) AS Last
| eval Diff=now()-Last
| table latestTime Diff Last
| where Diff > 0

Change the threshod in where command, and set the condition to kick your alert.

For more information about each search command, please visit:
http://www.splunk.com/base/Documentation/latest/SearchReference/WhatsInThisManual

View solution in original post

Reply
Solved! Jump to solution

williamsweat
Path Finder
‎05-19-2011 11:08 AM

Thanks! This helps immensely (completely glazed over the dbinspect). Gkanapathy, when I try that command, the results are done serially; it stops at the first index and doesn't continue to the others (also tried index=*)

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-19-2011 12:43 PM

oh I didn't know you wanted results per index, i though you just wanted the most recent item overall. note that you can also use the |metadata type=sourcetypes command and filter on that output too. dbinspect is probably better for index-level data though.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-18-2011 10:00 PM

You could also do a realtime alert:

index=x OR index=y OR index=z | head 1 | eval d=now()-_time | where d<120

and alert when there are zero results would give you what you need efficiently if you want to be alerted when there wasn't anything for the past two minutes.

Reply
Solved! Jump to solution
Solution

Masa
Splunk Employee
Splunk Employee
‎05-18-2011 08:46 PM

Please try the following search with a small time range, such as Last 15 min;


| dbinspect index=main
| convert timeformat="%m/%d/%Y:%H:%M:%S" mktime(latestTime) AS Last
| eval Diff=now()-Last
| table latestTime Diff Last
| where Diff > 0

Change the threshod in where command, and set the condition to kick your alert.

For more information about each search command, please visit:
http://www.splunk.com/base/Documentation/latest/SearchReference/WhatsInThisManual

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...