Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Crazy alert

christinmb
Path Finder
‎12-12-2012 10:10 AM

Hello, I'm monitoring my PercentFreeSpace in some of my servers so I configurated an alert when the PercentFreeSpace<15 with Time range of 15m and running every minute the search, the problem comes when I want to verify the alert results: I GET 0 EVENTS MATCHING MY SEARCH!

Any idea why this is happening?
Thanks in advanced

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎12-12-2012 10:28 AM

That could just mean that you don't have any servers with PercentFreeSpace less than 15%. We would expect no results to show up in that case. Why don't you try it as a search and adjust the number and see if indeed the alert should be bringing back something. If you edit your original question with the search, that would help as well.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎12-12-2012 10:28 AM

That could just mean that you don't have any servers with PercentFreeSpace less than 15%. We would expect no results to show up in that case. Why don't you try it as a search and adjust the number and see if indeed the alert should be bringing back something. If you edit your original question with the search, that would help as well.

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎12-12-2012 11:11 AM

I think it might be sending you the results 'always' even though it's not a match, and essentially alerting every time that search runs.

0 Karma
Reply
Solved! Jump to solution

christinmb
Path Finder
‎12-12-2012 11:09 AM

Ok, i'll try that, but why do i get an alert if the condition doesnt meets?

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎12-12-2012 10:52 AM

Try changing the alert condition from 'always' to 'if number of events' greater than 0.

0 Karma
Reply
Solved! Jump to solution

christinmb
Path Finder
‎12-12-2012 10:47 AM

http://img543.imageshack.us/img543/7492/configuracindealerta.jpg

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎12-12-2012 10:39 AM

You didn't say in your question that you were getting the alerts so didn't realize that. Can you post the search details.

0 Karma
Reply
Solved! Jump to solution

christinmb
Path Finder
‎12-12-2012 10:36 AM

But why am I getting tons of alerts if the results doesnt match?

0 Karma
Reply
Solved! Jump to solution

emiller42
Motivator
‎12-12-2012 10:11 AM

Can you provide sample events and the actual search you're running?

0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...