Re: How to create an alert when searched index has...

dmws · ‎08-16-2019

I have the following search, and i want to be able to only show the indexes that have 0 data during a specified time frame.

index=_internal source=*license_usage.log type="Usage" 
| timechart count by idx span=1h

When I add | where count=0 or something similar it shows nothing.

Any example searches to show indexes that have no data and be able to set up an alert when that happens?

woodcock · ‎08-17-2019

Like this:

index=_internal source=*license_usage.log type="Usage" 
| timechart count by idx span=1h
| untable _time idx count
| where count = 0

mayurr98 · ‎08-16-2019

try this :

| eventcount summarize=false index=* 
| dedup index 
| fields index 
| rename index as idx 
| join type=left idx 
    [ search index=_internal source=*license_usage.log type="Usage" 
    | bin span=1d _time 
    | eval time=strftime(_time,"%Y-%d-%m") 
    | chart count over idx by time ]

let me know if this helps !

dmws · ‎08-19-2019

It sort of works, but there are a lot of blank spaces under the counts for some indexes

Sukisen1981 · ‎08-19-2019

blank space occurs where there is no count for a specific index. append |fillnull value=0 to the above query

How to create an alert when searched index has no data

Security Highlights | November 2022 Newsletter

Platform Highlights | November 2022 Newsletter

Splunk Education - Fast Start Program!