Splunk Search

find empty directory that continuously index by Splunk



I have path that every day logs copy to there


I create script that copy logs there but sometime logs not copy on that path and script just create empty directory with current date



How can know when directory is empty with splunk?

FYI: this path continuously index on splunk 

Any idea?


Labels (6)
0 Karma


Hi @indeed_2000 

There is no out-of-the box approach that you can apply. Instead there could be otherways using CLI command however if i understand the requirement you want know/notify if there are no events on a particular day.

Other than Splunk you can monitor the destination dir with a custom script for empty dir check/ if copy failes then send an email to notify.

Splunk approach that i could think of is for a particular day if no events been found, then raise a Alert (this is nothing but schdulesearch in Splunk) which you can send as email. Try following query to set-up such alert.



index=<your_index_where_data_lands> sourcetype=<st> source="/opt/splunk/logs/*"
| eval today_date=strftime(now(),"%Y%m%d") 
| eval source_date=mvindex(split(source,"/"), 4) 
| where source_date=today_date 
| stats count 
| where count=0 



It compares today_date format YYYYMMDD with source path (segment 4 is date from source). This must be changed if your source path is different.


An upvote would be appreciated and Accept solution if this reply helps you!

0 Karma


Thank you for answer,

I try command that you mention but return nothing just "0"


directory have this structure 






e.g expected result,  if app2 and app3 directory are empty:

2021:07:12 06:00:00       /opt/splunk/logs/20210712/app2      empty

2021:07:12 06:00:00       /opt/splunk/logs/20210712/app3      empty

Any idea>


0 Karma


@indeed_2000 the date/app1/ directories technically does not exist in Splunk since they haven't been ingested. The query works only for current day, has to be scheduled to run every day once , earliest_time, latest_time should be with in current day. It gives you heads-up every day whether the new files being picked up or not meaning count = 0, other than that it can not show the source that you are expecting as it never exist in Splunk.

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...