Hello
still a noob at splunk
I have this alert that i can not get to fire
the goal is , to search for a term in the last 6 hours and if no records are found fire the alert
1) in the alerts page i "open in search" this is my search
host="X-TASKMAN1" auto_run.php "thread -> 1 finished" earliest=-6h@h latest=@h
this appears to return records when it should and does not when there are none
2) in the edit alert dialog i am trying to fire this alert when it finds no records
What I understood from you question is, you need to trigger alert, when you are not getting any output for your base query. The below query may serve your need. And set the Trigger Conditions as Trigger Alert when ==> Number of results is greater than 0.
index=_internal sourcetype=scheduler savedsearch_name="YourAlertNameHere" OR your base query earliest=-6h@h latest=@h
| stats count
| search count=0
What I understood from you question is, you need to trigger alert, when you are not getting any output for your base query. The below query may serve your need. And set the Trigger Conditions as Trigger Alert when ==> Number of results is greater than 0.
index=_internal sourcetype=scheduler savedsearch_name="YourAlertNameHere" OR your base query earliest=-6h@h latest=@h
| stats count
| search count=0
@paris, Accept the answer if it is working fine. Let others find the relevant answer. Thank you!
Paries. I've never tried alerting on 0 results, but what I do for that is to append a single result and look for just 1
base search
| append [| makeresults | eval msg="nothing else found"]
You're query is looking for last 6 hours and you're running the alert (schedule of it) once a day 4:00AM in the morning. Is that expected or you need the alert to run every 6 hours?. The alert would run at 4:00 AM.
i want it to run once a day @ 4:00am and look back 6 hours.
thanks for your help
Did you check if it was even ran at scheduled time?
index=_internal sourcetype=scheduler savedsearch_name="YourAlertNameHere"
yes
12-21-2017 04:00:03.796 -0700 INFO SavedSplunker - savedsearch_id="nobody;search;AP Thread Test", search_type="scheduled", user="dev", app="search", savedsearch_name="AP Thread Test", priority=default, status=success, digest_mode=1, scheduled_time=1513854000, window_time=0, dispatch_time=1513854000, run_time=0.520, result_count=0, alert_actions="", sid="scheduler__dev__search__RMD578055006f73a66bd_at_1513854000_3557", suppressed=0, thread_id="AlertNotifierWorker-1"