Re: How to create an alert when searched index has...

dmws · ‎08-16-2019

I have the following search, and i want to be able to only show the indexes that have 0 data during a specified time frame.

index=_internal source=*license_usage.log type="Usage" 
| timechart count by idx span=1h

When I add | where count=0 or something similar it shows nothing.

Any example searches to show indexes that have no data and be able to set up an alert when that happens?

woodcock · ‎08-17-2019

Like this:

index=_internal source=*license_usage.log type="Usage" 
| timechart count by idx span=1h
| untable _time idx count
| where count = 0

mayurr98 · ‎08-16-2019

try this :

| eventcount summarize=false index=* 
| dedup index 
| fields index 
| rename index as idx 
| join type=left idx 
    [ search index=_internal source=*license_usage.log type="Usage" 
    | bin span=1d _time 
    | eval time=strftime(_time,"%Y-%d-%m") 
    | chart count over idx by time ]

let me know if this helps !

dmws · ‎08-19-2019

It sort of works, but there are a lot of blank spaces under the counts for some indexes

Sukisen1981 · ‎08-19-2019

blank space occurs where there is no count for a specific index. append |fillnull value=0 to the above query

How to create an alert when searched index has no data

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms