https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38961#M8888 <P>Are you sure there were results in the last 15 minutes?</P> <P>Did you specify the time as 'index= "metering" sourcetype="ping" earliest=-15m | rex "Ping response: (?<PINGMESSAGE>.)" | search PingMessage=":OK*" ' ?</PINGMESSAGE></P> Mon, 19 Aug 2013 16:32:32 GMT richgalloway 2013-08-19T16:32:32Z https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38954#M8881 <P>I'm trying to set up a alert If I don't see a log message with in 15 minutes span of time. <BR /> I extracted a filed from the log message but I'm not sure how to check for the field in real time .</P> <P>The query i tired is </P> <P>index= "metering" host="vm10190" sourcetype="ping" | rex "Ping response: (?<PINGMESSAGE>.<EM>)" | search PingMessage="*OK</EM>" | bucket _time span=15m | stats count by _time host | where count&lt;1</PINGMESSAGE></P> <P>Any help would be greatly appreciated . </P> Mon, 28 Sep 2020 14:36:04 GMT https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38954#M8881 ssankeneni 2020-09-28T14:36:04Z https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38955#M8882 <P>For alerting, you need to setup a save search and schedule it. Then, you can alert based on the results of the saved search. Is the search above your saved search?</P> Mon, 19 Aug 2013 15:44:16 GMT https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38955#M8882 richnavis 2013-08-19T15:44:16Z https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38956#M8883 <P>Yes, It is a saved search but it is incorrect and it is not returning any results</P> Mon, 19 Aug 2013 15:45:46 GMT https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38956#M8883 ssankeneni 2013-08-19T15:45:46Z https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38957#M8884 <P>Create a search that finds your log messages. Then schedule that search and have it send an alert if the event count = 0.</P> Mon, 19 Aug 2013 15:50:36 GMT https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38957#M8884 richgalloway 2013-08-19T15:50:36Z https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38958#M8885 <P>I am not sure how to create a search query to return the results for just last 15 minutes</P> Mon, 19 Aug 2013 15:58:03 GMT https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38958#M8885 ssankeneni 2013-08-19T15:58:03Z https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38959#M8886 <P>Include 'earliest=-15m' in your search query.</P> Mon, 19 Aug 2013 16:02:49 GMT https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38959#M8886 richgalloway 2013-08-19T16:02:49Z https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38960#M8887 <P>index= "metering" sourcetype="ping" | rex "Ping response: (?<PINGMESSAGE>.<EM>)" | search PingMessage="</EM>:OK*" </PINGMESSAGE></P> <P>this query returns me the results where the ping is ok <BR /> but when I add the time it doesn't return any results</P> Mon, 19 Aug 2013 16:15:35 GMT https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38960#M8887 ssankeneni 2013-08-19T16:15:35Z https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38961#M8888 <P>Are you sure there were results in the last 15 minutes?</P> <P>Did you specify the time as 'index= "metering" sourcetype="ping" earliest=-15m | rex "Ping response: (?<PINGMESSAGE>.)" | search PingMessage=":OK*" ' ?</PINGMESSAGE></P> Mon, 19 Aug 2013 16:32:32 GMT https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38961#M8888 richgalloway 2013-08-19T16:32:32Z https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38962#M8889 <P>I do get the results now can you please let me know how to use the eventcount in this case</P> Mon, 19 Aug 2013 16:44:53 GMT https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38962#M8889 ssankeneni 2013-08-19T16:44:53Z https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38963#M8890 <P>Go to the 'Searches and Reports' manager page and click the New button. Enter your search query in the Search box, start time of '-15m' and end time of 'now'. Check the 'Schedule this search' box. Choose "15 minutes" from the 'Run every' box. Under Condition, choose 'if number of events' and 'is equal to' from the respective drop-downs.</P> <P>Choose the alert action and save the search.</P> Mon, 19 Aug 2013 16:52:26 GMT https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38963#M8890 richgalloway 2013-08-19T16:52:26Z https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38964#M8891 <P>Thanks for your answer</P> Mon, 19 Aug 2013 17:08:46 GMT https://community.splunk.com/t5/Splunk-Search/To-set-an-alert-if-a-field-doesn-t-exist-in-log-messages-in-real/m-p/38964#M8891 ssankeneni 2013-08-19T17:08:46Z