https://community.splunk.com/t5/Splunk-Search/How-to-send-an-alert-when-search-count-is-0/m-p/574589#M200235 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/240460">@rajs115</a>,</P><P>your search is larger than what you need, you could simply run:</P><LI-CODE lang="markup">sourcetype="logs"</LI-CODE><P>and put the condition results=0 in the alert.</P><P>Only one note: use always the condition index=your_index in your searches, because searchjes are quicker and otherwise you risk not using some indexes out of the default path.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 11 Nov 2021 15:09:23 GMT gcusello 2021-11-11T15:09:23Z https://community.splunk.com/t5/Splunk-Search/How-to-send-an-alert-when-search-count-is-0/m-p/574493#M200209 <P>Hi,</P><P>&nbsp; &nbsp;I am looking for a solution to check the splunk query results . if it returns '0' events i need to trigger an alert. Please provide a query to check when count value is zero.</P><P>Thanks.</P> Wed, 10 Nov 2021 20:24:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-an-alert-when-search-count-is-0/m-p/574493#M200209 rajs115 2021-11-10T20:24:38Z https://community.splunk.com/t5/Splunk-Search/How-to-send-an-alert-when-search-count-is-0/m-p/574495#M200211 <P>one more thing that, i need to run this query for every 1 hour. If count is '0' for the last one hour of the search i need to send alert</P> Wed, 10 Nov 2021 20:41:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-an-alert-when-search-count-is-0/m-p/574495#M200211 rajs115 2021-11-10T20:41:27Z https://community.splunk.com/t5/Splunk-Search/How-to-send-an-alert-when-search-count-is-0/m-p/574528#M200219 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/240460">@rajs115</a>,</P><P>when you say "count=0" are you meaning that you haven't any result to your search or that you want to test e.g. a list of hosts and identyfy the ones with no events?</P><P>If the first, you have to create an alert with your search and set the condition "count=0" in the Alert conditions.</P><P>If instead, the second, you have to create a list of hosts to check in a lookup (called e.g. "perimeter.csv" containing at least one field ("host") and then run a search like this:</P><LI-CODE lang="markup">| metasearch index=_internal | eval host=lower(host) | stats count BY host | append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 11 Nov 2021 07:32:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-an-alert-when-search-count-is-0/m-p/574528#M200219 gcusello 2021-11-11T07:32:59Z https://community.splunk.com/t5/Splunk-Search/How-to-send-an-alert-when-search-count-is-0/m-p/574574#M200230 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;,</P><P>&nbsp;</P><P>&nbsp; &nbsp;Yes, its the solution as you mentioned. I am running a basic query to look for the events over the last 1 hour of time and when the count is '0' i have to send an alert. Below query i am running. Can you please check if its right? Also, how to mention time period in last 1 hour in my search query?</P><P>&nbsp;</P><P><STRONG>sourcetype="logs" | stats count | where count=0</STRONG></P><P>&nbsp;</P><P>Thanks.</P> Thu, 11 Nov 2021 13:42:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-an-alert-when-search-count-is-0/m-p/574574#M200230 rajs115 2021-11-11T13:42:57Z https://community.splunk.com/t5/Splunk-Search/How-to-send-an-alert-when-search-count-is-0/m-p/574589#M200235 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/240460">@rajs115</a>,</P><P>your search is larger than what you need, you could simply run:</P><LI-CODE lang="markup">sourcetype="logs"</LI-CODE><P>and put the condition results=0 in the alert.</P><P>Only one note: use always the condition index=your_index in your searches, because searchjes are quicker and otherwise you risk not using some indexes out of the default path.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 11 Nov 2021 15:09:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-an-alert-when-search-count-is-0/m-p/574589#M200235 gcusello 2021-11-11T15:09:23Z https://community.splunk.com/t5/Splunk-Search/How-to-send-an-alert-when-search-count-is-0/m-p/574590#M200236 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;,</P><P>&nbsp;</P><P>&nbsp; &nbsp;How can i add time in my query for the time (last 1 hour) ?</P><P>&nbsp;</P><P>Thanks.</P> Thu, 11 Nov 2021 15:12:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-an-alert-when-search-count-is-0/m-p/574590#M200236 rajs115 2021-11-11T15:12:06Z https://community.splunk.com/t5/Splunk-Search/How-to-send-an-alert-when-search-count-is-0/m-p/574593#M200239 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/240460">@rajs115</a>,</P><P>you have two ways to do this:</P><UL><LI>defini with the Time Picker the time period of one hour for your search and then save the search as an alert, in this way the time period is associated to your search;</LI><LI>otherwise you can insert the following condition in your search:</LI></UL><LI-CODE lang="markup">sourcetype="logs" earliest=-1h latest=now</LI-CODE><P>I hint to follow the Search Tutorial at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial</A>&nbsp;that explain hot to search in Splunk.</P><P>&nbsp;Ciao.</P><P>Giuseppe</P> Thu, 11 Nov 2021 15:25:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-an-alert-when-search-count-is-0/m-p/574593#M200239 gcusello 2021-11-11T15:25:48Z