https://community.splunk.com/t5/Splunk-Search/Why-is-my-alert-not-triggered-even-though-there-are-results-that/m-p/207177#M60407 <P>Hi All,</P> <P>We have a search which checks for a total count of failures in system in the last 24 hours:</P> <PRE><CODE>index=mydata earliest=-24h| stats list(Summary) as "Summary", count(Summary) as SummaryCount </CODE></PRE> <P>when a specific failures occur, the SummaryCount has a value of 1 or more than one.</P> <P>Based on that we have created an alert to trigger with custom trigger condition:<BR /> <CODE>search SummaryCount&gt;=1 and AlertType =Scheduled</CODE> and is scheduled to run every day, one time at 1 am.<BR /> and the Action Options, set was "Once"</P> <P>Every time we run our search we get a result, so i was expecting there will be 1 alert everyday until the SummaryCount value is returned. But i got the alert only on 1 day and later it does not send any alert emails. </P> <P>Can you please help? This is really urgent.</P> <P>Thanks<BR /> Koti</P> Wed, 02 Nov 2016 15:46:22 GMT kotig 2016-11-02T15:46:22Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-alert-not-triggered-even-though-there-are-results-that/m-p/207177#M60407 <P>Hi All,</P> <P>We have a search which checks for a total count of failures in system in the last 24 hours:</P> <PRE><CODE>index=mydata earliest=-24h| stats list(Summary) as "Summary", count(Summary) as SummaryCount </CODE></PRE> <P>when a specific failures occur, the SummaryCount has a value of 1 or more than one.</P> <P>Based on that we have created an alert to trigger with custom trigger condition:<BR /> <CODE>search SummaryCount&gt;=1 and AlertType =Scheduled</CODE> and is scheduled to run every day, one time at 1 am.<BR /> and the Action Options, set was "Once"</P> <P>Every time we run our search we get a result, so i was expecting there will be 1 alert everyday until the SummaryCount value is returned. But i got the alert only on 1 day and later it does not send any alert emails. </P> <P>Can you please help? This is really urgent.</P> <P>Thanks<BR /> Koti</P> Wed, 02 Nov 2016 15:46:22 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-alert-not-triggered-even-though-there-are-results-that/m-p/207177#M60407 kotig 2016-11-02T15:46:22Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-alert-not-triggered-even-though-there-are-results-that/m-p/207178#M60408 <P>Did you run the query for days you didn't get alert and found results matching your trigger condition?</P> Wed, 02 Nov 2016 16:13:36 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-alert-not-triggered-even-though-there-are-results-that/m-p/207178#M60408 somesoni2 2016-11-02T16:13:36Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-alert-not-triggered-even-though-there-are-results-that/m-p/207179#M60409 <P>Yes, i am getting value for the day it did not trigger.</P> Wed, 02 Nov 2016 16:15:07 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-alert-not-triggered-even-though-there-are-results-that/m-p/207179#M60409 kotig 2016-11-02T16:15:07Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-alert-not-triggered-even-though-there-are-results-that/m-p/207180#M60410 <P>How about you update your alert like this and try.</P> <P>Search: <CODE>index=mydata earliest=-24h| stats list(Summary) as "Summary", count(Summary) as SummaryCount | wher SummaryCount&gt;0</CODE></P> <P>Time Range: <CODE>-1d@d to @d</CODE><BR /> Alert Type: <CODE>Scheduled</CODE>, Cron: <CODE>0 1 * * *</CODE><BR /> Alert condition: <CODE>If number of events greater than 0</CODE><BR /> Action Options: <CODE>Once</CODE></P> Wed, 02 Nov 2016 16:18:24 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-alert-not-triggered-even-though-there-are-results-that/m-p/207180#M60410 somesoni2 2016-11-02T16:18:24Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-alert-not-triggered-even-though-there-are-results-that/m-p/207181#M60411 <P>Sure thank you will try that option.</P> Wed, 02 Nov 2016 17:50:49 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-alert-not-triggered-even-though-there-are-results-that/m-p/207181#M60411 kotig 2016-11-02T17:50:49Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-alert-not-triggered-even-though-there-are-results-that/m-p/207182#M60412 <P>I suggest that you should simply use the normal trigger condition of <CODE>Number of Results &gt; 0</CODE><BR /> Your custom search for the alert is broken in a couple of ways:</P> <UL> <LI><CODE>and</CODE> must be capitalized as <CODE>AND</CODE> in searches if you want a boolean comparison.</LI> <LI>Your search does not yield a field named <CODE>AlertType</CODE></LI> </UL> <P>What this means is that your custom search will never return anything - so your alert will not fire. <BR /> As far as I can tell, you don't need a custom search for your alert at all. Change your settings as<BR /> suggested in the first paragraph and see what happens.</P> Wed, 02 Nov 2016 23:27:49 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-alert-not-triggered-even-though-there-are-results-that/m-p/207182#M60412 lguinn2 2016-11-02T23:27:49Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-alert-not-triggered-even-though-there-are-results-that/m-p/207183#M60413 <P>Thank you, appreciate your help on trying to help me. My alert is fixed now. I had a false alarm. Thanks everyone for your inputs.</P> Thu, 03 Nov 2016 16:09:01 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-alert-not-triggered-even-though-there-are-results-that/m-p/207183#M60413 kotig 2016-11-03T16:09:01Z