Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Locating missing events

justinfranks
Path Finder
‎09-25-2013 04:25 PM

Hey all,

I've searched for an answer to this but cannot see one, so apologies if this has been answered before.

Some background: We have a number of FileMaker DBs and I am attempting setup some automation so confirm that the DBs are all open. To do this, a FileMaker Server-Side script runs every 15 mins and confirms that they are all open and output it's results to a table.

I am using the JDBC connector in the Splunk DB Connect app to index this table. This all working fine and I am able to search. However, if the FileMaker database is unreachable the events are not indexed and this is expected behaviour but I was wondering if there was a way to detect a lack of events for a specific time period to be able to report on them?

The events are VERY simple, a timestamp and one KVP. Example: "26/09/2013 09:15:00 AM" FilesOpen=13

Would "| overlap | collect" work in this instance? If so, is there any decent documentation on this method? The built-in documentation is limited at best.

Thanks in advance,

Justin.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-25-2013 09:27 PM 
... | timechart span=15m count

And alert if the value is less than the expected number (or it's zero).

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-25-2013 09:29 PM

Or ... | timechart span=15m sum(FilesOpen)

0 Karma
Reply

Lucas_K
Motivator
‎09-25-2013 06:35 PM

You could just check your _internal index for the indexing rate for events going to that particular index.

If the rate drops below a threshold then send an alert.

index="_internal" sourcetype="splunkd" group="per_index_thruput" NOT (series="_*" OR series="/*" OR series="summary*") | rename series as index  | stats avg(kbps) by index
Reply

justinfranks
Path Finder
‎09-25-2013 07:37 PM

Thanks for the response!

This would be good if I wanted to just alert. However, I would like to report on the missing events. ie count them.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...