topic Re: Alert looking for no records over 6 hour time frame will not fire in Alerting

Alert looking for no records over 6 hour time frame will not fire

paries — Thu, 21 Dec 2017 14:50:42 GMT

Hello
still a noob at splunk

I have this alert that i can not get to fire

the goal is , to search for a term in the last 6 hours and if no records are found fire the alert

1) in the alerts page i "open in search" this is my search

host="X-TASKMAN1" auto_run.php "thread -> 1 finished" earliest=-6h@h latest=@h

this appears to return records when it should and does not when there are none

2) in the edit alert dialog i am trying to fire this alert when it finds no records

Re: Alert looking for no records over 6 hour time frame will not fire

somesoni2 — Thu, 21 Dec 2017 19:28:20 GMT

You're query is looking for last 6 hours and you're running the alert (schedule of it) once a day 4:00AM in the morning. Is that expected or you need the alert to run every 6 hours?. The alert would run at 4:00 AM.

Re: Alert looking for no records over 6 hour time frame will not fire

paries — Thu, 21 Dec 2017 20:01:48 GMT

i want it to run once a day @ 4:00am and look back 6 hours.
thanks for your help

Re: Alert looking for no records over 6 hour time frame will not fire

somesoni2 — Thu, 21 Dec 2017 20:04:11 GMT

Did you check if it was even ran at scheduled time?

index=_internal sourcetype=scheduler savedsearch_name="YourAlertNameHere"

Re: Alert looking for no records over 6 hour time frame will not fire

paries — Thu, 21 Dec 2017 20:09:25 GMT

yes

12-21-2017 04:00:03.796 -0700 INFO  SavedSplunker - savedsearch_id="nobody;search;AP Thread Test", search_type="scheduled", user="dev", app="search", savedsearch_name="AP Thread Test", priority=default, status=success, digest_mode=1, scheduled_time=1513854000, window_time=0, dispatch_time=1513854000, run_time=0.520, result_count=0, alert_actions="", sid="scheduler__dev__search__RMD578055006f73a66bd_at_1513854000_3557", suppressed=0, thread_id="AlertNotifierWorker-1"

Re: Alert looking for no records over 6 hour time frame will not fire

MonkeyK — Fri, 22 Dec 2017 03:06:52 GMT

Paries. I've never tried alerting on 0 results, but what I do for that is to append a single result and look for just 1

base search
| append [| makeresults | eval msg="nothing else found"]

Re: Alert looking for no records over 6 hour time frame will not fire

Kwip — Fri, 22 Dec 2017 22:45:12 GMT

What I understood from you question is, you need to trigger alert, when you are not getting any output for your base query. The below query may serve your need. And set the Trigger Conditions as Trigger Alert when ==> Number of results is greater than 0.

index=_internal sourcetype=scheduler savedsearch_name="YourAlertNameHere" OR your base query earliest=-6h@h latest=@h
| stats count 
| search count=0

Re: Alert looking for no records over 6 hour time frame will not fire

Kwip — Wed, 27 Dec 2017 16:23:53 GMT

@paris, Accept the answer if it is working fine. Let others find the relevant answer. Thank you!