topic Re: mail when no result comes in Reporting

mail when no result comes

logloganathan — Wed, 24 Oct 2018 13:50:40 GMT

i want to get an email when no result comes for a specific query. But, whenever some problem occurs in Splunk, unfortunately i am getting an email.

Could you please help me to fix this issue?

Re: mail when no result comes

mstjohn_splunk — Wed, 24 Oct 2018 18:06:59 GMT

Hi @logloganathan,

Could you give us some more context for this problem? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.

Thanks for posting!

Re: mail when no result comes

niketn — Wed, 24 Oct 2018 19:17:16 GMT

@logloganathan what is your current query for Alert and what is your Alert Trigger condition?

Also please explain some problem occurs as to what kind of problem/s?

Re: mail when no result comes

logloganathan — Fri, 26 Oct 2018 08:33:10 GMT

Hi Nikenilay,

thanks for your response!!

i used very simple

index=ABC source=XYZ "somefindinfcommand" | stats count by source _time

it trigger the alert when the table less than 1

but whenever splunk not getting any data, it triggering the false alert

Re: mail when no result comes

logloganathan — Fri, 26 Oct 2018 08:33:35 GMT

thanks for your response!!

i used very simple

index=ABC source=XYZ "somefindinfcommand" | stats count by source _time

it trigger the alert when the table less than 1

but whenever splunk not getting any data, it triggering the false alert

Re: mail when no result comes

inventsekar — Fri, 26 Oct 2018 08:43:18 GMT

it trigger the alert when the table less than 1
but whenever splunk not getting any data, it triggering the false alert
when the table result is less than 1 means, you are checking if the result event count is 0.

and whenever splunk not getting any data, means, the result is also zero.. and that should trigger the alert, right. how you say that its a false alert?!?!

Re: mail when no result comes

logloganathan — Fri, 26 Oct 2018 08:47:14 GMT

yes you are correct, it is due to splunk issue.some time splunk restart happen then i am getting these alert

Re: mail when no result comes

inventsekar — Fri, 26 Oct 2018 09:03:39 GMT

so, pls try to adjust your query so that it will create a known number of results.. and when that known number of result is not coming, you can trigger an alert.

Re: mail when no result comes

MousumiChowdhur — Fri, 26 Oct 2018 09:59:39 GMT

Hi @logloganathan,

May be you can try to modify your query and have the trigger condition as when the count=0 and you don't have a "splunk restart" message in _internal index

Thank you!

Re: mail when no result comes

logloganathan — Tue, 27 Nov 2018 13:53:31 GMT

Hi Mousumi,

Thanks for your response

Could you please provide example query

Thanks
Loganathan

Re: mail when no result comes

vr2312 — Tue, 04 Dec 2018 02:21:14 GMT

Try setting custom alerts which will trigger only when results are zero. In the alert actions tab.

Re: mail when no result comes

logloganathan — Wed, 05 Dec 2018 08:54:14 GMT

where that present?

Re: mail when no result comes

vr2312 — Wed, 05 Dec 2018 23:14:39 GMT

Okay, you would receive an email if there is an infrastructural issue with Splunk due to which searching and indexing operations get impacted. That is how it works, You might have to use this for better validity :

| eval delay = _indextime - _time

If there is a delay in indexing and the search results are triggering due to that, you can avoid those by using the above command in your search.

Re: mail when no result comes

logloganathan — Tue, 18 Dec 2018 13:38:36 GMT

can i use this query directly in the alert?

basic search | table host

how to modify this query with your example

Re: mail when no result comes

logloganathan — Thu, 20 Dec 2018 12:34:52 GMT

Could you please provide an update

Re: mail when no result comes

logloganathan — Tue, 19 Feb 2019 13:20:32 GMT

Could anyone please help...
we are still facing the issue

Re: mail when no result comes

logloganathan — Mon, 25 Feb 2019 14:02:44 GMT

i am still facing for the response

Re: mail when no result comes

logloganathan — Tue, 26 Feb 2019 11:24:41 GMT

Could anyone please help me in this issue

Re: mail when no result comes

vr2312 — Wed, 27 Feb 2019 23:38:26 GMT

Tweak the query as stated. It would help, there is not fixed answer for this as the query is different w.r.t. data ingested.

Re: mail when no result comes

logloganathan — Thu, 28 Feb 2019 14:20:20 GMT

like this...????
basic search | table host | eval delay = _indextime - _time