Solved: Alert if text is not present

peter_gianusso · ‎03-27-2013

I want to alert if the text "OmniKrnlService.main: starting, service name" is not present in a log file by 8:30 AM every day.

I know how to alert when text is present but not how to alert when it's not present.

gkanapathy · ‎03-27-2013

Seems fairly straightforward. You search for the text in the file over the appropriate time range (e.g., midnight to 8:30am, run at 8:45am). Then send an alert if the count of results is zero, or less than 1. That is an option available when configuring alerts.

View solution in original post

ArthurGautesen · ‎04-22-2016

index=WhatYouChoose "OmniKrnlService.main" earliest=-0d@d latest=-0d@d+510m | stats count | eval Flag=if(count>0,1,0) | search Flag=1

This would have you searching between midnight and 8:30am each day, but there isn't a solid way to decimal point it

(510 minutes from midnight is 8:30am)

| search Flag=1 would mean you found results
| search Flag=0 would mean you did not find results

gkanapathy · ‎03-27-2013

Seems fairly straightforward. You search for the text in the file over the appropriate time range (e.g., midnight to 8:30am, run at 8:45am). Then send an alert if the count of results is zero, or less than 1. That is an option available when configuring alerts.

Alert if text is not present

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation