Splunk Search

How to create an alert when searched index has no data

dmws
New Member

I have the following search, and i want to be able to only show the indexes that have 0 data during a specified time frame.

index=_internal source=*license_usage.log type="Usage" 
| timechart count by idx span=1h

When I add | where count=0 or something similar it shows nothing.

Any example searches to show indexes that have no data and be able to set up an alert when that happens?

0 Karma

woodcock
Esteemed Legend

Like this:

index=_internal source=*license_usage.log type="Usage" 
| timechart count by idx span=1h
| untable _time idx count
| where count = 0
0 Karma

mayurr98
Super Champion

try this :

| eventcount summarize=false index=* 
| dedup index 
| fields index 
| rename index as idx 
| join type=left idx 
    [ search index=_internal source=*license_usage.log type="Usage" 
    | bin span=1d _time 
    | eval time=strftime(_time,"%Y-%d-%m") 
    | chart count over idx by time ]

let me know if this helps !

0 Karma

dmws
New Member

It sort of works, but there are a lot of blank spaces under the counts for some indexes

0 Karma

Sukisen1981
Champion

blank space occurs where there is no count for a specific index. append |fillnull value=0 to the above query

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...