×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
RobK700000
New Member
Member since: 4 weeks ago
4 weeks ago
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-26-2025
Activity Feed
Topics I've Started
View All

Index Health and Welfare Tstats count

by in Splunk Search
4 weeks ago
4 weeks ago
I am trying to run a daily report that tells me all the indexes that have had 0 events in the past 24 hours. From other searches I have found the below query which seems to work fine except I want to not include certain indexes that I know will always be a 0 count. So for example if I know indexes named index1, index2 and index3 will always be 0 and want them not to show up in the report how would one accomplish that? This is the base search without removing any indexes from results. Appreciate any advice thanks. | tstats count where index=* by index | append [|rest /services/data/indexes | dedup title | fields title ```Discard internal indexes``` | search title!="_*" | rename title as index | eval count=0 ] ```Merge results, keeping the copy with a non-zero, if present``` | stats max(count) as count by index | where count==0 ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
4 weeks ago