topic Re: Alert not triggering when string value is empty in Other Usage

Why is alert not triggering when string value is empty?

POR160893 — Mon, 12 Jun 2023 13:30:39 GMT

Hi,

I have a Splunk alert where the trigger condition should be:

search ABC == ""

, where ABC is a string field and the alert is only triggered for records with such values as empty.

However, no alert is triggered so far.

What can I do?

Thanks.

Re: Alert not triggering when string value is empty

ITWhisperer — Mon, 12 Jun 2023 11:12:05 GMT

Try with where command

| where isnull(ABC) OR ABC==""

Re: Alert not triggering when string value is empty

POR160893 — Mon, 12 Jun 2023 12:35:39 GMT

Hey,

The full search which this alert is based on is this:

index=XYZ
| eval _time = strptime(dv_sys_updated_on, "%Y-%m-%d")
| eval month=strftime(_time, "%m")
| eval quarter = case(
month>=2 AND month<=4, "Q1",
month>=5 AND month<=7, "Q2",
month>=8 AND month<=10, "Q3",
month>=11 OR month<=1, "Q4"
)
| eval year = if(month>=2, strftime(relative_time(now(), "@y+1y"), "%y"), strftime(now(), "%y"))
| eval quarter = "FY" . year . quarter
| search quarter =FY29

| dedup HGF

| eval assigned_user=if(RITM == "", "", assigned_user)
| fields _time, quarter, RITM,
| table _time, quarter, RITM

However, I am assuming one cannot put this entire query into the trigger condition for the alert?

Re: Alert not triggering when string value is empty

ITWhisperer — Mon, 12 Jun 2023 13:22:38 GMT

The alert is essentially a report/search - the trigger is based on the results of the search - note that only the first result event is available to the trigger if you want to use fields from the search (as opposed to number of results, for example).