Find results that appears in a % of the cases and ...

felipesodre · ‎06-29-2021

Hi there,

First of all, thank you for any comment.

I am looking for a way to identify if I have any index missing across databases in my environment.

So, I am logging in Splunk all indexes I have across the environment and the results looks like as following:

[
{
"indexrelname":" index_1",
"table":" tb_1",
"database":"db_a"
},
{
"indexrelname":" index_2",
"table":" tb_2",
"database":"db_a"
},
{
"indexrelname":" index_1",
"table":" tb_1",
"database":"db_b"
},
{
"indexrelname":" index_2",
"table":" tb_2",
"database":"db_b"
},
{
"indexrelname":" index_1",
"table":" tb_1",
"database":"db_c"
},
Missing index_2 tb_2 here...
]

So, as an example I would like to find the missing index "index_2" on the table "tb_2" on database "db_c".

The result would be a table of missing index:

database | table | indexrelname

db_c | tb_2 | index_2

Does anyone able to help ?

richgalloway · ‎06-30-2021

Finding something that is not there is not Splunk's strong suit. See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, an upvote would be appreciated.

Find results that appears in a % of the cases and list the outliers

fields

other

table

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>

Find results that appears in a % of the cases and list the outliers

fields

other

table

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>