Splunk Search

How to create an alert when searched index has no data

dmws
New Member

I have the following search, and i want to be able to only show the indexes that have 0 data during a specified time frame.

index=_internal source=*license_usage.log type="Usage" 
| timechart count by idx span=1h

When I add | where count=0 or something similar it shows nothing.

Any example searches to show indexes that have no data and be able to set up an alert when that happens?

0 Karma

woodcock
Esteemed Legend

Like this:

index=_internal source=*license_usage.log type="Usage" 
| timechart count by idx span=1h
| untable _time idx count
| where count = 0
0 Karma

mayurr98
Super Champion

try this :

| eventcount summarize=false index=* 
| dedup index 
| fields index 
| rename index as idx 
| join type=left idx 
    [ search index=_internal source=*license_usage.log type="Usage" 
    | bin span=1d _time 
    | eval time=strftime(_time,"%Y-%d-%m") 
    | chart count over idx by time ]

let me know if this helps !

0 Karma

dmws
New Member

It sort of works, but there are a lot of blank spaces under the counts for some indexes

0 Karma

Sukisen1981
Champion

blank space occurs where there is no count for a specific index. append |fillnull value=0 to the above query

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...