https://community.splunk.com/t5/Alerting/Alert-if-text-is-not-present/m-p/76838#M1057 <P>Seems fairly straightforward. You search for the text in the file over the appropriate time range (e.g., midnight to 8:30am, run at 8:45am). Then send an alert if the count of results is zero, or less than 1. That is an option available when configuring alerts.</P> Wed, 27 Mar 2013 22:10:41 GMT gkanapathy 2013-03-27T22:10:41Z https://community.splunk.com/t5/Alerting/Alert-if-text-is-not-present/m-p/76837#M1056 <P>I want to alert if the text "OmniKrnlService.main: starting, service name" is not present in a log file by 8:30 AM every day.</P> <P>I know how to alert when text is present but not how to alert when it's not present. </P> Wed, 27 Mar 2013 21:13:49 GMT https://community.splunk.com/t5/Alerting/Alert-if-text-is-not-present/m-p/76837#M1056 peter_gianusso 2013-03-27T21:13:49Z https://community.splunk.com/t5/Alerting/Alert-if-text-is-not-present/m-p/76838#M1057 <P>Seems fairly straightforward. You search for the text in the file over the appropriate time range (e.g., midnight to 8:30am, run at 8:45am). Then send an alert if the count of results is zero, or less than 1. That is an option available when configuring alerts.</P> Wed, 27 Mar 2013 22:10:41 GMT https://community.splunk.com/t5/Alerting/Alert-if-text-is-not-present/m-p/76838#M1057 gkanapathy 2013-03-27T22:10:41Z https://community.splunk.com/t5/Alerting/Alert-if-text-is-not-present/m-p/76839#M1058 <P>index=WhatYouChoose "OmniKrnlService.main" earliest=-0d@d latest=-0d@d+510m | stats count | eval Flag=if(count&gt;0,1,0) | search Flag=1</P> <P>This would have you searching between midnight and 8:30am each day, but there isn't a solid way to decimal point it</P> <P>(510 minutes from midnight is 8:30am)</P> <P>| search Flag=1 would mean you found results<BR /> | search Flag=0 would mean you did not find results</P> Fri, 22 Apr 2016 12:37:55 GMT https://community.splunk.com/t5/Alerting/Alert-if-text-is-not-present/m-p/76839#M1058 ArthurGautesen 2016-04-22T12:37:55Z