Hello All,
How can we get a list of sources which did not have any data for last 24 hours in Splunk for a particular index?
When am trying to use metadata, the result is coming from sourcetype, but not from the source. below is my search:
| metadata type=sourcetypes index=myindex | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")
Could you please help us on this?
| tstats count where index=myindex by source index
| tstats count where index=myindex by host source sourcetype index splunk_server
May be something like this
| metadata type=sources index=myindex | eval age=now()-recentTime | where age>86400 | rename totalCount as Count firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | fieldformat Count=tostring(Count, "commas") | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c") | fieldformat age=tostring(age,"duration")
I use the below, usually for hosts, but should work for sourcetypes, but not for sources...
| metadata type=sourcetypes index=myindex
| fields - totalCount,type
| eval ageInSeconds = (now()- firstTime)
| search ageInSeconds > 86400
| convert ctime(lastTime) ctime(recentTime) ctime(firstTime)
| table sourcetypes ageInSeconds lastTime recentTime | sort - ageInSeconds
Adjust the ageInSeconds to the time frame you want to check..
Yes.
| metadata type=sources index=myindex