Alerting

Alert - Multiple Condition Confusion

chrisboy68
Contributor

Hi, this should be simple, but its making my head hurt.

(index=myindex OR index=_internal) (myfield=*  OR source=*dbx2*) |   search myfield = *  NOT  "Caught exception Splunkd daemon is not responding"

At times, I have ran into issues with the splunkd not responding for DB2. I have the above search in an Alert. It fires when there are 0 rows within 10 minutes (there should always be at least one row in 10 min), but I don't want it to fire if it finds "Caught exception Splunkd daemon is not responding".

I think I'm going about this wrong. How can I make a conditional alert that only fires if 0 rows are returned in the search and does not contain "Caught exception Splunkd daemon is not responding"?

Thanks

Chris

Tags (2)
0 Karma
1 Solution

chrisboy68
Contributor

Ok, as expected, I over thought this one. Since the Alert first when the return result is NOT 0, the doing this:
search myfield = * OR "Caught exception Splunkd daemon is not responding"
Works for my Alert (it wont fire if a Splunkd exception is returned).

Sorry,

Chris

View solution in original post

0 Karma

chrisboy68
Contributor

Ok, as expected, I over thought this one. Since the Alert first when the return result is NOT 0, the doing this:
search myfield = * OR "Caught exception Splunkd daemon is not responding"
Works for my Alert (it wont fire if a Splunkd exception is returned).

Sorry,

Chris

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this:

(index=myindex OR index=_internal) (myfield=*  OR source=*dbx2*) NOT  "Caught exception Splunkd daemon is not responding"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...