Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Alerting for zero events

peter_gianusso
Communicator
‎10-16-2012 08:45 AM

we want a search to execute every 20 minutes that looks at the past 20 minutes and ensures that events have been written to the log file by host.

This search returns no results.
sourcetype="PROD_PSI_HR_UNISYS_RTENGINE_DBG" | timechart count span=20m by host | where count=0

When I remove the "by host", the search below only works for a search for the past 4 hours but when I change it to 60 minutes, it stops returning results. It definitely doesn't work for the past 20 minutes.

sourcetype="PROD_PSI_HR_UNISYS_RTENGINE_DBG" | timechart count span=20m | where count=0

Any ideas?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-16-2012 08:54 AM

If a host has no events, it will not be listed at all.

To proceed, you have to save a static list of the hosts, by example in a lookup file or a csv file. (See outputlookup, outputcsv, inputlookup, inputcsv)
and use this lookup as a | JOIN type=outer host to populate the other results, then the missing hosts will be displayed.
see http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Join

here is an example with csv.
to generate the list once a week over all the week events :

earliest=-1w@w latest=@w | dedup host | stats count AS lastweek by host | outputcsv lastweekhostlist.csv

to use this list with last hour event list

earliest=-1h latest=now | dedup host | stats count AS today by host | JOIN type=outer host [ | inputcsv lastweekhostlist.csv ] | fillnull value=0 today lastweek | where lastweek>0 AND today=0

FYI, we use the dedup host to keep only 1 event per hosts to be faster, but you could remove it and use the actual count of events.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎10-16-2012 09:07 AM

actually the timechart by host will return a table like :
timestamp host1 host2 host3
therefore there is not count columns to filter on.

try to replace by
| bucket _time span=20m | stats count by _time host
that will return a table like
timestamp count host

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-16-2012 08:54 AM

If a host has no events, it will not be listed at all.

To proceed, you have to save a static list of the hosts, by example in a lookup file or a csv file. (See outputlookup, outputcsv, inputlookup, inputcsv)
and use this lookup as a | JOIN type=outer host to populate the other results, then the missing hosts will be displayed.
see http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Join

here is an example with csv.
to generate the list once a week over all the week events :

earliest=-1w@w latest=@w | dedup host | stats count AS lastweek by host | outputcsv lastweekhostlist.csv

to use this list with last hour event list

earliest=-1h latest=now | dedup host | stats count AS today by host | JOIN type=outer host [ | inputcsv lastweekhostlist.csv ] | fillnull value=0 today lastweek | where lastweek>0 AND today=0

FYI, we use the dedup host to keep only 1 event per hosts to be faster, but you could remove it and use the actual count of events.

0 Karma
Reply
Solved! Jump to solution

peter_gianusso
Communicator
‎10-16-2012 08:56 AM

sorry...lets forget the hosts problem...it's really the query sourcetype="PROD_PSI_HR_UNISYS_RTENGINE_DBG" | timechart count span=20m | where count=0 that's the problem

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...