Alerting

Alert looking for no records over 6 hour time frame will not fire

paries
Explorer

Hello
still a noob at splunk

I have this alert that i can not get to fire

the goal is , to search for a term in the last 6 hours and if no records are found fire the alert

1) in the alerts page i "open in search" this is my search

host="X-TASKMAN1" auto_run.php "thread -> 1 finished" earliest=-6h@h latest=@h

this appears to return records when it should and does not when there are none

2) in the edit alert dialog i am trying to fire this alert when it finds no records
alt text

0 Karma
1 Solution

Kwip
Contributor

What I understood from you question is, you need to trigger alert, when you are not getting any output for your base query. The below query may serve your need. And set the Trigger Conditions as Trigger Alert when ==> Number of results is greater than 0.

index=_internal sourcetype=scheduler savedsearch_name="YourAlertNameHere" OR your base query earliest=-6h@h latest=@h
| stats count 
| search count=0

View solution in original post

Kwip
Contributor

What I understood from you question is, you need to trigger alert, when you are not getting any output for your base query. The below query may serve your need. And set the Trigger Conditions as Trigger Alert when ==> Number of results is greater than 0.

index=_internal sourcetype=scheduler savedsearch_name="YourAlertNameHere" OR your base query earliest=-6h@h latest=@h
| stats count 
| search count=0

Kwip
Contributor

@paris, Accept the answer if it is working fine. Let others find the relevant answer. Thank you!

0 Karma

MonkeyK
Builder

Paries. I've never tried alerting on 0 results, but what I do for that is to append a single result and look for just 1

base search
| append [| makeresults | eval msg="nothing else found"]

somesoni2
SplunkTrust
SplunkTrust

You're query is looking for last 6 hours and you're running the alert (schedule of it) once a day 4:00AM in the morning. Is that expected or you need the alert to run every 6 hours?. The alert would run at 4:00 AM.

0 Karma

paries
Explorer

i want it to run once a day @ 4:00am and look back 6 hours.
thanks for your help

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Did you check if it was even ran at scheduled time?

index=_internal sourcetype=scheduler savedsearch_name="YourAlertNameHere" 
0 Karma

paries
Explorer

yes

12-21-2017 04:00:03.796 -0700 INFO  SavedSplunker - savedsearch_id="nobody;search;AP Thread Test", search_type="scheduled", user="dev", app="search", savedsearch_name="AP Thread Test", priority=default, status=success, digest_mode=1, scheduled_time=1513854000, window_time=0, dispatch_time=1513854000, run_time=0.520, result_count=0, alert_actions="", sid="scheduler__dev__search__RMD578055006f73a66bd_at_1513854000_3557", suppressed=0, thread_id="AlertNotifierWorker-1"
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...