How do I create a Splunk query for unused event types?

Question

I have found that I can create a Splunk query to show how many times results of a certain event type appear in results.

severity=error | stats count by eventtype

This creates a table like so:

eventtype    | count
------------------------
myEventType1 | 5
myEventType2 | 12
myEventType3 | 30

So far so good. However, I would like to find event types with zero results. Unfortunately, those with a count of 0 do not apear in the query above, so I can't just filter by that.

How do I create a Splunk query for unused event types?

Answer 1

There are lots of different ways for that, depending on what you mean by "event types". Somewhere, you have to get a list of whatever you are interested in, and roll them into the query.

Here's one version, assuming you had a csv that contained a list of eventtypes you wanted to see...

severity=error 
| stats count as mycount by eventtype
| inputcsv append=t mylist.csv
| eval mycount=coalesce(mycount,0)
| stats sum(mycount) as mycount by eventtype

Here's another version, assuming that you wanted a list of all eventtypes that had occurred in the last 90 days, along with the count of how many had occurred yesterday:

earliest=-90d@d latest=@d severity=error
| addinfo
| stats count as totalcount count(eval(_time>=info_max_time-86400)) as yesterdaycount by eventtype