Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Alert on |search field=0 returns too many rows?

bmgilmore
Path Finder
‎11-21-2012 05:35 AM

I've got a scheduled search that calculates the variability of a numeric field over time that should always be moving. If I pipe a "search Variability=0" at the end, and run in search view, the search runs, shows a lot of rows at first as it calculates back through time, and then shows the correct number of rows.

Oddly, when I set this search to alarm, it sends many alarms and the CSV search results attached show many (almost all) of the available rows, each with a Variability of 0. Returning to the triggered job returns 0 (or whatever 1 or 2) rows as I would expect. Especially strange is that each time the alert triggers, it is a new number of false positive rows.

It's almost as if the search is not waiting to complete before triggering the alert? Any ideas here? Thanks in advance!

Tags (1)
0 Karma
Reply

jonuwz
Influencer
‎11-21-2012 08:14 AM

You probably need a custom condition in your alert

i.e.

main search

... | stats count(eval(Variability==0)) as not_variable

then a custom condition where

search not_variable > 0
0 Karma
Reply

MHibbin
Influencer
‎11-21-2012 07:31 AM

attached? ... you will need to paste it in the question as code (using the button "101010", or by starting each line of the code with 4 spaces, or by inclosing in backticks).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...