topic How do you trigger an alert using stats count to return 0 when value is 0? in Splunk Search

How do you trigger an alert using stats count to return 0 when value is 0?

markhvesta — Mon, 25 Feb 2019 20:22:43 GMT

I have an alert that is not triggering because there are no events occurring for one of my search parameters. I would like to trigger when there are less than 10 events for "OtherChannelWithNoEvents", but when there are no events, no results are found for it and it is not triggered.

Here is the search:

sourcetype="databasesourcetype" 
|  eval Channel = case(ChannelCD == 3, "CSR", ChannelCD == 58 AND PartnerChannelDescriptor = "COR", "OtherChannelWithNoEvents")
| stats count by Channel
| search (Channel = OtherChannelWithNoEvents count <10)
OR (Channel = CSR count <200)

Re: How do you trigger an alert using stats count to return 0 when value is 0?

somesoni2 — Mon, 25 Feb 2019 20:48:47 GMT

What's your trigger condition? Do you also want to trigger alert when your base search doesn't have any results?

Re: How do you trigger an alert using stats count to return 0 when value is 0?

markhvesta — Mon, 25 Feb 2019 21:08:16 GMT

Trigger is count > 1 and Yes.

It is a low volume alert, so when Either of those two channels is lower than a certain threshold, even 0 it should trigger an alert.

Re: How do you trigger an alert using stats count to return 0 when value is 0?

somesoni2 — Mon, 25 Feb 2019 21:12:24 GMT

Keep the same trigger condition and try this version of search (the appendpipe will add a rows when there is no data from stats. We use that row in your filter)

 sourcetype="databasesourcetype" 
 |  eval Channel = case(ChannelCD == 3, "CSR", ChannelCD == 58 AND PartnerChannelDescriptor = "COR", "OtherChannelWithNoEvents")
 | stats count by Channel
 | appendpipe [| stats count | where count=0 | eval Channel="No_Records"]
 | search (Channel = OtherChannelWithNoEvents count <10)
 OR (Channel = CSR count <200) OR (Channel="No_Records")