topic Re: How to trigger an alert when no data from hosts? in Splunk Enterprise

How to trigger an alert when no data from hosts?

Ash1 — Fri, 28 Oct 2022 18:36:39 GMT

Hi all,

i have below query

index=advcf request=* host=abgc host=efgh host=jhty host=hjyu host=kjnbh

here i want the email alert to trigger when data is not coming from any one of the hosts.
and i want to see that host name in a table format in the mail.

how can i do that????

Re: How to trigger an alert when no data from hosts?

richgalloway — Fri, 28 Oct 2022 20:18:22 GMT

Finding something that is not there is not Splunk's strong suit. See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

Re: How to trigger an alert when no data from hosts?

Ash1 — Fri, 28 Oct 2022 21:43:25 GMT

@richgalloway , thank for the info, as per the link provided without lookup file we cannot see the host data with 0 count. i got it.
but now my requirement is how can i create an alert when no data coming from any one of the hosts.
i created a below query for that, please let me know if this is correct

index=advcf request=* host IN(abgc, efgh, jhty, hjyu,kjnb) |stats count |where count=0

Re: How to trigger an alert when no data from hosts?

johnhuang — Fri, 28 Oct 2022 23:09:35 GMT

Just append some dummy records for each host and assign an event count of 0 to it. Instead of count, use sum to add up the results.

Re: How to trigger an alert when no data from hosts?

Ash1 — Sat, 29 Oct 2022 16:35:42 GMT

I tried to use the below query but getting below error:

Error in 'search operator:rex': usage:regex[field=<field>]<regex>

Re: How to trigger an alert when no data from hosts?

richgalloway — Sat, 29 Oct 2022 16:47:26 GMT

That query will trigger an alert only if there are no results from all hosts.

Re: How to trigger an alert when no data from hosts?

richgalloway — Sat, 29 Oct 2022 16:49:35 GMT

Please share the query that produced the error message. Is that the complete error text? It appears to be incomplete and incorrect.

Re: How to trigger an alert when no data from hosts?

Ash1 — Sat, 29 Oct 2022 17:20:08 GMT

but i want the alert to be triggered when data is not coming from 1 host as well...

Re: How to trigger an alert when no data from hosts?

Ash1 — Sat, 29 Oct 2022 17:21:25 GMT

I used the same query given the only change in the original query is host and index name change, and the error i posted is the complete error.

Re: How to trigger an alert when no data from hosts?

Ash1 — Sat, 29 Oct 2022 17:22:18 GMT

my requirement is just i need to trigger an alert when data is not coming from any hosts.

Re: How to trigger an alert when no data from hosts?

Ash1 — Sat, 29 Oct 2022 17:24:35 GMT

@richgalloway as u said the query i gave will trigger an alert only when data is not available in all 5 hosts.
but i want the alert to be triggered even when data not there in 1 host as well
can u please tune this query

index=advcf   request=*  host IN(abgc, efgh, jhty, hjyu,kjnb)
|stats count
|where count=0

Re: How to trigger an alert when no data from hosts?

richgalloway — Sun, 30 Oct 2022 00:35:10 GMT

Have you tried the query suggested by @johnhuang ? It looks good to me.

Re: How to trigger an alert when no data from hosts?

Ash1 — Sun, 30 Oct 2022 13:04:27 GMT

I tried to use the query but getting below error:

Error in 'search operator:rex': usage:regex[field=<field>]<regex>

Re: How to trigger an alert when no data from hosts?

richgalloway — Sun, 30 Oct 2022 13:42:46 GMT

Interesting. The exact query, without changes, works fine for me. Please post the exact query you used.

Re: How to trigger an alert when no data from hosts?

Ash1 — Sun, 30 Oct 2022 18:28:18 GMT

Hi @richgalloway they was a typo error in my original query, i noticed that, now the given query is working fine.
Thanks a lot @richgalloway and @johnhuang for making this done.😊
i accept this as a solution