topic Re: Trigger alert for stats query when events are null in Splunk Search

Trigger alert for stats query when events are null

santiagn — Mon, 11 Sep 2017 16:32:51 GMT

Hello,

scheduling an alert to notify me what my current license usage is and I can't get it to trigger since the events return null but rather show a statistic row. How can I get my alert to trigger when events are null?

here is my query:

 | rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | join type=outer stack_id [rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used max(stack_quota) as total | eval usedGB=round(used/1024/1024/1024,4)  | appendcols [| stats count AS tnow | eval tnow = now() | eval timenow=strftime(tnow,"%H%M") | eval useMAX=((timenow/2400)*100)] | convert num(useMAX) as IntMax  | eval license_stats=if('usedGB' >= 'IntMax', "WARNING", "GOOD") | fields usedGB, license_stats, IntMax

Re: Trigger alert for stats query when events are null

somesoni2 — Mon, 11 Sep 2017 16:53:26 GMT

Give this a try

| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | join type=outer stack_id [rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used max(stack_quota) as total | eval usedGB=round(used/1024/1024/1024,4)  | appendcols [| gentimes start=-1 | eval tnow = now() | table tnow | eval timenow=strftime(tnow,"%H%M") | eval useMAX=((timenow/2400)*100)] | convert num(useMAX) as IntMax  | eval license_stats=if('usedGB' >= 'IntMax', "WARNING", "GOOD") | fields usedGB, license_stats, IntMax

Re: Trigger alert for stats query when events are null

santiagn — Mon, 11 Sep 2017 17:02:19 GMT

events still are null and stats return same. i setthe trigger to run when number of results does not equal 0, still did not trigger

Re: Trigger alert for stats query when events are null

somesoni2 — Mon, 11 Sep 2017 17:08:48 GMT

Ok. I may have misunderstand the requirement here. When you say events are null means which fields are null/not returned?

Re: Trigger alert for stats query when events are null

santiagn — Mon, 11 Sep 2017 17:11:26 GMT

sorry i did a bad job explaining. so with my query it returns my usedGB for the day under the "statistics" tab but under the "events" tab " no events found" is shown. im trying to trigger an alert to show me the statistics data but it wont trigger because the "events" tab returns null

Re: Trigger alert for stats query when events are null

somesoni2 — Mon, 11 Sep 2017 17:17:37 GMT

Because your usedGB is coming from a join subsearch, the events for that will not be shown. What's the trigger condition you're using right now?

Re: Trigger alert for stats query when events are null

santiagn — Mon, 11 Sep 2017 17:20:01 GMT

i see and i tried all of the trigger conditions lol but right now its set to number of results = 0

Re: Trigger alert for stats query when events are null

somesoni2 — Mon, 11 Sep 2017 17:43:13 GMT

So basically you want to trigger alert if you get any records with license_stats="WARNING", correct? If yes, then add following to end of your search and set the alert condition to "if number of events are greater than 0".

your current search | where license_stats="WARNING"

Re: Trigger alert for stats query when events are null

santiagn — Mon, 11 Sep 2017 18:57:01 GMT

ok so then, how do i set thetrigger condition if the "events" tab is still null

Re: Trigger alert for stats query when events are null

santiagn — Tue, 19 Sep 2017 16:30:03 GMT

bump i still cant figure out how to trigger alert for a statistics query please help

Re: Trigger alert for stats query when events are null

santiagn — Wed, 04 Oct 2017 01:59:23 GMT

bumping this