Can an alert be based on a search that runs but ha...

klf1242 · ‎10-27-2017

Can Splunk alerts be based on a search that runs but has no matching events? Is a match the number of times an event must occur in a given time frame? If that is the case, then could I set Splunk up to alert, if I am expecting an event, and it doesn't happen? Some of my friends in a Splunk class were talking about this, and I was curious what others will say.

traxxasbreaker · ‎10-27-2017

Yes.

When you create the alert through the UI, you can set the trigger conditions based on the number of events returned, then it will let you enter a value and indicate whether you want the event count to be greater than, less than, or equal to that value (along with a couple more options).

So if you have that search that is supposed to return an expected number of events and you set the alert to trigger if the event count is either zero or less than some number of events you are expecting, the alert will trigger if you are not getting the right number of events returned.

pkiripolsky · ‎10-27-2017

Short answer, yes it can. You can set up an alert to trigger based on the number of results. So you can setup an alert to trigger if number of results returned is 0 or less than some arbitrary number.

You can set this up when you save or edit the alert; it's called the "Trigger Conditions".

elliotproebstel · ‎10-27-2017

Yes, one of the options when configuring an alert is to trigger based on number of results, including the option to trigger when the number of results is 0. Here's a screenshot from my Splunk Enterprise 6.6.2 deployment:

Can an alert be based on a search that runs but has no matching events?

Data-Driven Success: Splunk & Financial Services

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds