Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Crazy alert

christinmb
Path Finder
‎12-12-2012 10:10 AM

Hello, I'm monitoring my PercentFreeSpace in some of my servers so I configurated an alert when the PercentFreeSpace<15 with Time range of 15m and running every minute the search, the problem comes when I want to verify the alert results: I GET 0 EVENTS MATCHING MY SEARCH!

Any idea why this is happening?
Thanks in advanced

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎12-12-2012 10:28 AM

That could just mean that you don't have any servers with PercentFreeSpace less than 15%. We would expect no results to show up in that case. Why don't you try it as a search and adjust the number and see if indeed the alert should be bringing back something. If you edit your original question with the search, that would help as well.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎12-12-2012 10:28 AM

That could just mean that you don't have any servers with PercentFreeSpace less than 15%. We would expect no results to show up in that case. Why don't you try it as a search and adjust the number and see if indeed the alert should be bringing back something. If you edit your original question with the search, that would help as well.

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎12-12-2012 11:11 AM

I think it might be sending you the results 'always' even though it's not a match, and essentially alerting every time that search runs.

0 Karma
Reply
Solved! Jump to solution

christinmb
Path Finder
‎12-12-2012 11:09 AM

Ok, i'll try that, but why do i get an alert if the condition doesnt meets?

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎12-12-2012 10:52 AM

Try changing the alert condition from 'always' to 'if number of events' greater than 0.

0 Karma
Reply
Solved! Jump to solution

christinmb
Path Finder
‎12-12-2012 10:47 AM

http://img543.imageshack.us/img543/7492/configuracindealerta.jpg

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎12-12-2012 10:39 AM

You didn't say in your question that you were getting the alerts so didn't realize that. Can you post the search details.

0 Karma
Reply
Solved! Jump to solution

christinmb
Path Finder
‎12-12-2012 10:36 AM

But why am I getting tons of alerts if the results doesnt match?

0 Karma
Reply
Solved! Jump to solution

emiller42
Motivator
‎12-12-2012 10:11 AM

Can you provide sample events and the actual search you're running?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...