Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Index creation and deletion alerting in Splunk Search head

anandhalagaras1
Communicator
‎02-07-2024 12:05 AM

Hi Team,

Our Splunk is hosted in Cloud. And my requirement is that if an index is getting created then i need to get an alert and similarly if an index is getting deleted from the Search head i need to get an alert. So kindly help with the query.

 

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-07-2024 12:27 AM

Hi @anandhalagaras1,

this is the condition to identify index creation events:

index=_internal  NOT StreamedSearch IndexWriter Initializing

For index deletion, you could use:

index=_internal  NOT StreamedSearch event=removeIndex action=deleteIndexRequest

then in both cases, you can define the fields that you want to display.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...