https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-action-when-no-results-are-found-without-using/m-p/369038#M108762 <P>My organization using something called Ticketer to in Splunk to auto-generate an incident form when something shows up in the logs. An example would look like this:</P> <P>ns="my_application_namespace" "Exception X has occurred" | eval severity="4" | eval emailAddress="<A href="mailto:myTeam@somewhere.com" target="_blank">myTeam@somewhere.com</A>" | eval description = "Exception X has occured" | ticketer</P> <P>I saved that alert and it runs once an hour and if "Exception X has occurred" shows up in the logs anywhere an incident is created. Note that this isn't configured in the saved alert, it is part of the search query. </P> <P>Now, what want to do is run a search query for a healthcheck url to make sure a service is up and running. If I don't see the healthcheck url appearing in the logs for an hour it means the service is down and an incident needs to be created. </P> <P>This is what I have so far: <BR /> ns="my_application_namespace" "healthcheckUrlHere" | eval severity="4" | eval emailAddress="<A href="mailto:myTeam@somewhere.com" target="_blank">myTeam@somewhere.com</A>" | eval description = "The Servive is down" | ticketer</P> <P>I'm thinking I could use something like | stats count | search count=0</P> <P>Would this work if I inserted it before the eval portion of the search? Like: ns="my_application_namespace" "healthcheckUrlHere" | stats count | search count=0 | eval severity="4" | eval emailAddress="<A href="mailto:myTeam@somewhere.com" target="_blank">myTeam@somewhere.com</A>" | eval description = "The Servive is down" | ticketer</P> <P>Or is there a better way of doing something like this that I don't know about? </P> <P>Thanks for any help! </P> Tue, 29 Sep 2020 16:46:55 GMT lordhans 2020-09-29T16:46:55Z https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-action-when-no-results-are-found-without-using/m-p/369038#M108762 <P>My organization using something called Ticketer to in Splunk to auto-generate an incident form when something shows up in the logs. An example would look like this:</P> <P>ns="my_application_namespace" "Exception X has occurred" | eval severity="4" | eval emailAddress="<A href="mailto:myTeam@somewhere.com" target="_blank">myTeam@somewhere.com</A>" | eval description = "Exception X has occured" | ticketer</P> <P>I saved that alert and it runs once an hour and if "Exception X has occurred" shows up in the logs anywhere an incident is created. Note that this isn't configured in the saved alert, it is part of the search query. </P> <P>Now, what want to do is run a search query for a healthcheck url to make sure a service is up and running. If I don't see the healthcheck url appearing in the logs for an hour it means the service is down and an incident needs to be created. </P> <P>This is what I have so far: <BR /> ns="my_application_namespace" "healthcheckUrlHere" | eval severity="4" | eval emailAddress="<A href="mailto:myTeam@somewhere.com" target="_blank">myTeam@somewhere.com</A>" | eval description = "The Servive is down" | ticketer</P> <P>I'm thinking I could use something like | stats count | search count=0</P> <P>Would this work if I inserted it before the eval portion of the search? Like: ns="my_application_namespace" "healthcheckUrlHere" | stats count | search count=0 | eval severity="4" | eval emailAddress="<A href="mailto:myTeam@somewhere.com" target="_blank">myTeam@somewhere.com</A>" | eval description = "The Servive is down" | ticketer</P> <P>Or is there a better way of doing something like this that I don't know about? </P> <P>Thanks for any help! </P> Tue, 29 Sep 2020 16:46:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-action-when-no-results-are-found-without-using/m-p/369038#M108762 lordhans 2020-09-29T16:46:55Z https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-action-when-no-results-are-found-without-using/m-p/369039#M108763 <P>If you're only looking for a single healthCheckUrl this is likely pretty simple, and what you have above should be fine.</P> <P>If you wanted to abstract it out to multiple <CODE>ns</CODE> or <CODE>healthCheckUrl</CODE> values it would be more involved.</P> Tue, 14 Nov 2017 00:57:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-action-when-no-results-are-found-without-using/m-p/369039#M108763 micahkemp 2017-11-14T00:57:17Z https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-action-when-no-results-are-found-without-using/m-p/369040#M108764 <P>Your query looks good. You can combine different eval statement in single command.</P> <PRE><CODE>ns="my_application_namespace" "healthcheckUrlHere" | stats count | search count=0 | eval severity="4", emailAddress="myTeam@somewhere.com" , description = "The Servive is down" | ticketer </CODE></PRE> Tue, 14 Nov 2017 05:37:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-action-when-no-results-are-found-without-using/m-p/369040#M108764 hardikJsheth 2017-11-14T05:37:52Z https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-action-when-no-results-are-found-without-using/m-p/369041#M108765 <P>Hi lordhans,<BR /> knowing the list of processes to healthcheck I'd think to a different approach creating a lookup containing the processes to check:</P> <PRE><CODE>Your_search [ | inputlookup processes.csv | fields process ] | eval process=lower(process) | stats count by process | append [ | inputlookup processes.csv | eval process=lower(process), count=0 | fields process count ] | stats sum(count) AS Total BY process </CODE></PRE> <P>In this way, processes where Total=0 are missed and processes where Total&gt;0 are OK.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 14 Nov 2017 07:58:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-trigger-an-action-when-no-results-are-found-without-using/m-p/369041#M108765 gcusello 2017-11-14T07:58:13Z