Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

find empty directory that continuously index by Splunk

indeed_2000
Motivator
‎07-11-2021 11:44 PM

Hi

I have path that every day logs copy to there

/opt/splunk/logs/$DATE

I create script that copy logs there but sometime logs not copy on that path and script just create empty directory with current date

/opt/splunk/logs/20210712

 

How can know when directory is empty with splunk?

FYI: this path continuously index on splunk 

Any idea?

Thanks

Labels (6)
Labels
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-12-2021 03:49 AM

Hi @indeed_2000 

There is no out-of-the box approach that you can apply. Instead there could be otherways using CLI command however if i understand the requirement you want know/notify if there are no events on a particular day.

Other than Splunk you can monitor the destination dir with a custom script for empty dir check/ if copy failes then send an email to notify.

Splunk approach that i could think of is for a particular day if no events been found, then raise a Alert (this is nothing but schdulesearch in Splunk) which you can send as email. Try following query to set-up such alert.

 

 

index=<your_index_where_data_lands> sourcetype=<st> source="/opt/splunk/logs/*"
| eval today_date=strftime(now(),"%Y%m%d") 
| eval source_date=mvindex(split(source,"/"), 4) 
| where source_date=today_date 
| stats count 
| where count=0

 

 

It compares today_date format YYYYMMDD with source path (segment 4 is date from source). This must be changed if your source path is different.

---

An upvote would be appreciated and Accept solution if this reply helps you!

0 Karma
Reply

indeed_2000
Motivator
‎07-12-2021 10:53 PM

Thank you for answer,

I try command that you mention but return nothing just "0"

 

directory have this structure 

/opt/splunk/logs/20210712/app1

/opt/splunk/logs/20210712/app2

/opt/splunk/logs/20210712/app3

...

 

e.g expected result,  if app2 and app3 directory are empty:

2021:07:12 06:00:00       /opt/splunk/logs/20210712/app2      empty

2021:07:12 06:00:00       /opt/splunk/logs/20210712/app3      empty

Any idea>

Thanks

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-13-2021 01:35 AM

@indeed_2000 the date/app1/ directories technically does not exist in Splunk since they haven't been ingested. The query works only for current day, has to be scheduled to run every day once , earliest_time, latest_time should be with in current day. It gives you heads-up every day whether the new files being picked up or not meaning count = 0, other than that it can not show the source that you are expecting as it never exist in Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...