topic Re: Alert if missing field in Dashboards & Visualizations

Is there a way to Alert if missing field value?

Newser703 — Mon, 11 Jul 2022 14:41:58 GMT

Hello, I have an index that looks like that :

Server Month Number of connexions --------------------------------------- A January 10 B January 12 C January 7 A February 5 B February C February 0

Let's say I sum the Number of connexions by Month, is there a way to raise an alert if a value is missing (here Server B in February) ?

Re: Alert if missing field

gcusello — Mon, 11 Jul 2022 08:18:36 GMT

Hi @Newser703,

could you share your search? so I can help you to define the firing condition.

Anyway, I suppose that if a value is missing you don't have logs from that source, maybe it could betetr to have an alert that immediately fires if you haven't logs and not after one month!

Ciao.

Giuseppe

Re: Alert if missing field

Newser703 — Mon, 11 Jul 2022 08:29:04 GMT

The search is very simple, because the index already looks like the one I described.

It's something like :

index=MyIndex | where Month="January" OR Month="February" | stats sum("Number of connexions") AS Sum BY Month

Re: Alert if missing field

gcusello — Mon, 11 Jul 2022 09:14:27 GMT

Hi @Newser703,

this search cannot have the output you shared because there's also the server field,

Probably it should be something like this:

index=MyIndex | where Month="January" OR Month="February" | stats sum("Number of connexions") AS Sum BY Server Month

but if you don't have a value for a server in a month, you don't have the entire row,

maybe you could have something like this:

index=MyIndex | where Month="January" OR Month="February" | Chart sum("Number of connexions") AS Sum OVER Server BY Month

But anyway you don't have the missing value ,

You could use a workaround:

index=MyIndex Month="January" OR Month="February" | stats dc(Month) AS dc_month values(Month) AS Month BY Server | where dc_month=1

This search has anly one limit: if the values of both months are missing.

Then anyway, you don't need to use where after the main search, it's always better (for performances) to put all the search conditions as left as possible.

Ciao.

Giuseppe

Re: Alert if missing field

Newser703 — Mon, 11 Jul 2022 09:27:37 GMT

What I shared in the question is the base index, what I'm working with before using any command.

Re: Alert if missing field

gcusello — Mon, 11 Jul 2022 10:11:09 GMT

Hi @Newser703,

did my solution work for you?

Ciao.

Giuseppe

Re: Alert if missing field

PickleRick — Mon, 11 Jul 2022 10:57:40 GMT

The main question is what do your results really look like.

Because if you do simple stats count splunk will not create a row in results when there are no events to aggregate. It will however produce a row of results with count of 0 if you use timechart.