Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create an alert if index have no data in the last 24 hours?

Neonbeeflash
Explorer
‎12-07-2022 04:49 AM

I want to create alert to check on all indexes event count and alert the list of all indexes that have no events in the last 24 hours.

I saw a post with the same problem, but it didn't help. How to create an alert if index have no data in th... - Splunk Community

The following search doesn't work for my purpose. 

| tstats count where index=* by index | where count = 0

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-05-2023 08:06 AM

I think you're getting no results because there's nothing for Splunk to find in empty indexes.  Try this alternative query.

| tstats count where index=* by index
```Get a list of all indexes and assign them a count of zero```
| append [|rest /services/data/indexes 
  | dedup title 
  | fields title 
  ```Discard internal indexes```
  | search title!="_*" 
  | rename title as index 
  | eval count=0
]
```Merge results, keeping the copy with a non-zero, if present```
| stats max(count) as count by index
| where count==0
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-07-2022 05:52 AM

Please elaborate on "doesn't work for my purpose".

Have you looked at the blog entry referenced in linked answer?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Neonbeeflash
Explorer
‎01-05-2023 04:09 AM

Thank you for your response. The problem is that I have several indexes which have not received any information in the last month. When I use this command, I get absolutely nothing. My purpose is to create a list of those indexes that have not received any information in the last 24 hours.

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-05-2023 08:06 AM

I think you're getting no results because there's nothing for Splunk to find in empty indexes.  Try this alternative query.

| tstats count where index=* by index
```Get a list of all indexes and assign them a count of zero```
| append [|rest /services/data/indexes 
  | dedup title 
  | fields title 
  ```Discard internal indexes```
  | search title!="_*" 
  | rename title as index 
  | eval count=0
]
```Merge results, keeping the copy with a non-zero, if present```
| stats max(count) as count by index
| where count==0
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Neonbeeflash
Explorer
‎01-12-2023 09:29 AM

Hello,

This worked amazing! Thanks for your help.

Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...