Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create an alert if index have no data in the last 24 hours?

Neonbeeflash
Explorer
‎12-07-2022 04:49 AM

I want to create alert to check on all indexes event count and alert the list of all indexes that have no events in the last 24 hours.

I saw a post with the same problem, but it didn't help. How to create an alert if index have no data in th... - Splunk Community

The following search doesn't work for my purpose. 

| tstats count where index=* by index | where count = 0

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-05-2023 08:06 AM

I think you're getting no results because there's nothing for Splunk to find in empty indexes.  Try this alternative query.

| tstats count where index=* by index
```Get a list of all indexes and assign them a count of zero```
| append [|rest /services/data/indexes 
  | dedup title 
  | fields title 
  ```Discard internal indexes```
  | search title!="_*" 
  | rename title as index 
  | eval count=0
]
```Merge results, keeping the copy with a non-zero, if present```
| stats max(count) as count by index
| where count==0
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-07-2022 05:52 AM

Please elaborate on "doesn't work for my purpose".

Have you looked at the blog entry referenced in linked answer?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Neonbeeflash
Explorer
‎01-05-2023 04:09 AM

Thank you for your response. The problem is that I have several indexes which have not received any information in the last month. When I use this command, I get absolutely nothing. My purpose is to create a list of those indexes that have not received any information in the last 24 hours.

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-05-2023 08:06 AM

I think you're getting no results because there's nothing for Splunk to find in empty indexes.  Try this alternative query.

| tstats count where index=* by index
```Get a list of all indexes and assign them a count of zero```
| append [|rest /services/data/indexes 
  | dedup title 
  | fields title 
  ```Discard internal indexes```
  | search title!="_*" 
  | rename title as index 
  | eval count=0
]
```Merge results, keeping the copy with a non-zero, if present```
| stats max(count) as count by index
| where count==0
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Neonbeeflash
Explorer
‎01-12-2023 09:29 AM

Hello,

This worked amazing! Thanks for your help.

Reply
Get Updates on the Splunk Community!

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...