Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create a scheduled alert which triggers mail to some id

chitreshakumar
Communicator
‎12-14-2017 03:55 AM

I want to create an alert .If any of the field is missing the values the search will output the table with all the values with missing particular field values .Then I need to send an mail whenever this alerts run.My requirement is run it daily and the output to the mail in csv format .
My search is returning the values when running .But the alert is not triggering when the number of result is greater than zero.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎12-14-2017 06:11 AM

I think it maybe helpful if you can provide some sample data, but let me give this a go anyway:

If I have understood, you have a search which generates a table of results. You want to trigger an alert if any field in the table is empty?

<your search> |table _time <your field>

What you can do is fill empty fields with a known value, which you can then search for, so your search would now be

<your search> |table _time <your field>|fillnull value="Data Missing"|search <your field>="Data Missing"

This will now render you a table of rows only where a field is missing.
An alert >0 can now be set as a threshold

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎12-14-2017 06:11 AM

I think it maybe helpful if you can provide some sample data, but let me give this a go anyway:

If I have understood, you have a search which generates a table of results. You want to trigger an alert if any field in the table is empty?

<your search> |table _time <your field>

What you can do is fill empty fields with a known value, which you can then search for, so your search would now be

<your search> |table _time <your field>|fillnull value="Data Missing"|search <your field>="Data Missing"

This will now render you a table of rows only where a field is missing.
An alert >0 can now be set as a threshold

If my comment helps, please give it a thumbs up!
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...