https://community.splunk.com/t5/Alerting/Splunk-Alert-query-syntax/m-p/552525#M10518 <P>I am just starting off with configuring up some Alerts in my Splunk environment.</P><P>One of the alerts that i have configured up as a test is to run a scheduled test once a day, looking to see whether any of the Cisco switches in my environment has restarted. I've configured up the following search:</P><P>index=&lt;my_index&gt; "%SYS-5-RESTART" | stats count</P><P>When using this as a simple search, this seems to work well, letting me know accurately if a switch has rebooted within the search time window. However with the alert that i have created from this search, it seems to be sending out an email regardless of the search result.</P><P>The Alert configuration i have used is as follows:</P><UL><LI>Alert Type: scheduled (run everyday at 5pm)</LI><LI>Expires 24 hours</LI><LI>Trigger alert when: Number of Results is greater than 0</LI><LI>Trigger: once</LI><LI>Trigger Actions: Send email</LI></UL><P>even today, when i used the above search term for the last 24 hours, it is coming up with a count of 0 and yet Splunk is still forwarding out an email at 5pm. Is there something that i am missing with the alert syntax?</P><P>Thanks,</P> Fri, 21 May 2021 07:54:18 GMT mike_k 2021-05-21T07:54:18Z https://community.splunk.com/t5/Alerting/Splunk-Alert-query-syntax/m-p/552525#M10518 <P>I am just starting off with configuring up some Alerts in my Splunk environment.</P><P>One of the alerts that i have configured up as a test is to run a scheduled test once a day, looking to see whether any of the Cisco switches in my environment has restarted. I've configured up the following search:</P><P>index=&lt;my_index&gt; "%SYS-5-RESTART" | stats count</P><P>When using this as a simple search, this seems to work well, letting me know accurately if a switch has rebooted within the search time window. However with the alert that i have created from this search, it seems to be sending out an email regardless of the search result.</P><P>The Alert configuration i have used is as follows:</P><UL><LI>Alert Type: scheduled (run everyday at 5pm)</LI><LI>Expires 24 hours</LI><LI>Trigger alert when: Number of Results is greater than 0</LI><LI>Trigger: once</LI><LI>Trigger Actions: Send email</LI></UL><P>even today, when i used the above search term for the last 24 hours, it is coming up with a count of 0 and yet Splunk is still forwarding out an email at 5pm. Is there something that i am missing with the alert syntax?</P><P>Thanks,</P> Fri, 21 May 2021 07:54:18 GMT https://community.splunk.com/t5/Alerting/Splunk-Alert-query-syntax/m-p/552525#M10518 mike_k 2021-05-21T07:54:18Z https://community.splunk.com/t5/Alerting/Splunk-Alert-query-syntax/m-p/552531#M10519 <P>Your search is returning a result (count = 0) - add "| where count &gt; 0" to your search so results are only returned when there is something worth alerting</P> Fri, 21 May 2021 08:20:50 GMT https://community.splunk.com/t5/Alerting/Splunk-Alert-query-syntax/m-p/552531#M10519 ITWhisperer 2021-05-21T08:20:50Z https://community.splunk.com/t5/Alerting/Splunk-Alert-query-syntax/m-p/552663#M10525 <P>thanks, that did the trick.</P><P>&nbsp;</P> Mon, 24 May 2021 01:24:58 GMT https://community.splunk.com/t5/Alerting/Splunk-Alert-query-syntax/m-p/552663#M10525 mike_k 2021-05-24T01:24:58Z