Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Locating missing events

justinfranks
Path Finder
‎09-25-2013 04:25 PM

Hey all,

I've searched for an answer to this but cannot see one, so apologies if this has been answered before.

Some background: We have a number of FileMaker DBs and I am attempting setup some automation so confirm that the DBs are all open. To do this, a FileMaker Server-Side script runs every 15 mins and confirms that they are all open and output it's results to a table.

I am using the JDBC connector in the Splunk DB Connect app to index this table. This all working fine and I am able to search. However, if the FileMaker database is unreachable the events are not indexed and this is expected behaviour but I was wondering if there was a way to detect a lack of events for a specific time period to be able to report on them?

The events are VERY simple, a timestamp and one KVP. Example: "26/09/2013 09:15:00 AM" FilesOpen=13

Would "| overlap | collect" work in this instance? If so, is there any decent documentation on this method? The built-in documentation is limited at best.

Thanks in advance,

Justin.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-25-2013 09:27 PM 
... | timechart span=15m count

And alert if the value is less than the expected number (or it's zero).

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-25-2013 09:29 PM

Or ... | timechart span=15m sum(FilesOpen)

0 Karma
Reply

Lucas_K
Motivator
‎09-25-2013 06:35 PM

You could just check your _internal index for the indexing rate for events going to that particular index.

If the rate drops below a threshold then send an alert.

index="_internal" sourcetype="splunkd" group="per_index_thruput" NOT (series="_*" OR series="/*" OR series="summary*") | rename series as index  | stats avg(kbps) by index
Reply

justinfranks
Path Finder
‎09-25-2013 07:37 PM

Thanks for the response!

This would be good if I wanted to just alert. However, I would like to report on the missing events. ie count them.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...