https://community.splunk.com/t5/Splunk-Dev/Splunk-query-to-Check-when-no-value-is-returned/m-p/563841#M10031 <P>Scenario:</P><P>Example query :&nbsp;<SPAN>&nbsp;index=XXXX name=somefile | stats count(msg) as MESSAGE</SPAN></P><P>The above query will always return some count.</P><P>I want to alert if the Message=0 for two consecutive 5 min interval over the last 15 min interval i.e. when no values are returned.</P><P>earliest=-15m if two out of three interval (5min) the message=0 i want to take some actions</P> Wed, 18 Aug 2021 19:15:19 GMT masmi99 2021-08-18T19:15:19Z https://community.splunk.com/t5/Splunk-Dev/Splunk-query-to-Check-when-no-value-is-returned/m-p/563841#M10031 <P>Scenario:</P><P>Example query :&nbsp;<SPAN>&nbsp;index=XXXX name=somefile | stats count(msg) as MESSAGE</SPAN></P><P>The above query will always return some count.</P><P>I want to alert if the Message=0 for two consecutive 5 min interval over the last 15 min interval i.e. when no values are returned.</P><P>earliest=-15m if two out of three interval (5min) the message=0 i want to take some actions</P> Wed, 18 Aug 2021 19:15:19 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-query-to-Check-when-no-value-is-returned/m-p/563841#M10031 masmi99 2021-08-18T19:15:19Z https://community.splunk.com/t5/Splunk-Dev/Splunk-query-to-Check-when-no-value-is-returned/m-p/563842#M10032 <P>Just add this to the end of your alert query:<BR /><BR />| where result_count=0</P> Wed, 18 Aug 2021 19:26:37 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-query-to-Check-when-no-value-is-returned/m-p/563842#M10032 codebuilder 2021-08-18T19:26:37Z https://community.splunk.com/t5/Splunk-Dev/Splunk-query-to-Check-when-no-value-is-returned/m-p/563845#M10033 <P>when i add where MESSAGE=0 it is not returning any result</P><P>As my intention is to check for last 15 min if two of 5 min interval does not get any result to do some other action</P><P>index=XXX name=file-XXX level&lt;50<BR />| bucket _time span=5m<BR />| fillnull value=0<BR />| stats count(msg) as MESSAGES by _time</P><P>tried this but this will provide the result as follows it skipped 3:25 when&nbsp; the count was 0</P><TABLE><TBODY><TR><TD>2021-08-18 03:20:00</TD><TD>25</TD></TR><TR><TD>2021-08-18 03:30:00</TD><TD>139</TD></TR><TR><TD>2021-08-18 03:35:00</TD><TD>10</TD></TR><TR><TD>&nbsp;</TD><TD>&nbsp;</TD></TR></TBODY></TABLE> Wed, 18 Aug 2021 19:32:05 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-query-to-Check-when-no-value-is-returned/m-p/563845#M10033 masmi99 2021-08-18T19:32:05Z https://community.splunk.com/t5/Splunk-Dev/Splunk-query-to-Check-when-no-value-is-returned/m-p/563857#M10034 <P>The problem with you query is that you are not eliminating events where "msg" has a non null value. That's why youre getting results with counts.<BR /><BR />Try something like this:<BR /><BR /></P><LI-CODE lang="markup">index=XXX name=file-XXX | fields + msg level&lt;50 | bucket _time span=5m | fillnull value=0 | where msg=0 | stats count(msg) as MESSAGES by _time</LI-CODE> Wed, 18 Aug 2021 20:24:00 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-query-to-Check-when-no-value-is-returned/m-p/563857#M10034 codebuilder 2021-08-18T20:24:00Z