https://community.splunk.com/t5/Alerting/Alerts-when-indexing-stops/m-p/538518#M10193 <P>Hi. I don't use real time alerting.&nbsp;</P><P>Try scheduled. For real-time I can't see the conditions when it would alert.</P><P>I will attach to typical kinds of alerting I do (oh only allowed on attachment per reply)..&nbsp;</P><OL><LI>Either when the result count is greater than 0 (see attachment)</LI><LI>A field has some particular value (for that I do custom and then in the box I literally say&nbsp;</LI></OL><LI-CODE lang="markup">search myfield &gt; 3</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Wed, 03 Feb 2021 20:31:31 GMT burwell 2021-02-03T20:31:31Z https://community.splunk.com/t5/Alerting/Alerts-when-indexing-stops/m-p/538299#M10183 <P>Hello,</P><P>I am a noob at Splunk. I know there are a few posts on this already but I'm not able to find a solution for my specific problem. I want to make an alert for when indexing stops. I am using the following:&nbsp;| tstats latest(_time) as latest where index=* by host | where latest &lt; relative_time(now(), "-1m")</P><P>Normally, I want the "-1m" to be "-1d" but i changed it to test the alert. I can see on the search that I have a result from an ip address that is not indexing events every minute so I know the search is working. When I save it as an alert however, I get no alerts. I have tried real-time and scheduled alerts to attempts a trigger.</P><P>Does anyone know why the alert doesnt work or if there is something off with the search I am trying to use?</P><P>&nbsp;</P><P>Thanks!</P> Tue, 02 Feb 2021 15:44:26 GMT https://community.splunk.com/t5/Alerting/Alerts-when-indexing-stops/m-p/538299#M10183 gba8912 2021-02-02T15:44:26Z https://community.splunk.com/t5/Alerting/Alerts-when-indexing-stops/m-p/538380#M10187 <P>Hi do you want to share exactly how you are setting up the alert condition and what are you using to alert? Can you check the _internal index for errors?</P> Wed, 03 Feb 2021 06:48:13 GMT https://community.splunk.com/t5/Alerting/Alerts-when-indexing-stops/m-p/538380#M10187 burwell 2021-02-03T06:48:13Z https://community.splunk.com/t5/Alerting/Alerts-when-indexing-stops/m-p/538512#M10191 <P>Hi Burwell,</P><P>&nbsp;</P><P>Thanks for your reply. I have searched _internal and have 1,136,041 events. I don't really see any errors but maybe I don't know what to look for. Also, I am using the search I posted and saving it as an alert. I have attached a screenshot of the settings that I currently have. I have also tried using the scheduled time feature. Neither works.&nbsp;</P> Wed, 03 Feb 2021 19:55:56 GMT https://community.splunk.com/t5/Alerting/Alerts-when-indexing-stops/m-p/538512#M10191 gba8912 2021-02-03T19:55:56Z https://community.splunk.com/t5/Alerting/Alerts-when-indexing-stops/m-p/538516#M10192 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/228952">@gba8912</a>,</P><P>tstats searches cannot run in realtime. You should change your alert schedule to "Scheduled".</P><P>&nbsp;</P> Wed, 03 Feb 2021 20:23:34 GMT https://community.splunk.com/t5/Alerting/Alerts-when-indexing-stops/m-p/538516#M10192 scelikok 2021-02-03T20:23:34Z https://community.splunk.com/t5/Alerting/Alerts-when-indexing-stops/m-p/538518#M10193 <P>Hi. I don't use real time alerting.&nbsp;</P><P>Try scheduled. For real-time I can't see the conditions when it would alert.</P><P>I will attach to typical kinds of alerting I do (oh only allowed on attachment per reply)..&nbsp;</P><OL><LI>Either when the result count is greater than 0 (see attachment)</LI><LI>A field has some particular value (for that I do custom and then in the box I literally say&nbsp;</LI></OL><LI-CODE lang="markup">search myfield &gt; 3</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Wed, 03 Feb 2021 20:31:31 GMT https://community.splunk.com/t5/Alerting/Alerts-when-indexing-stops/m-p/538518#M10193 burwell 2021-02-03T20:31:31Z https://community.splunk.com/t5/Alerting/Alerts-when-indexing-stops/m-p/538644#M10198 <P>Thanks! I was able to get the alerts to work with scheduled.&nbsp;</P> Thu, 04 Feb 2021 16:27:25 GMT https://community.splunk.com/t5/Alerting/Alerts-when-indexing-stops/m-p/538644#M10198 gba8912 2021-02-04T16:27:25Z