Alerting

Create a scheduled alert which triggers mail to some id

chitreshakumar
Communicator

I want to create an alert .If any of the field is missing the values the search will output the table with all the values with missing particular field values .Then I need to send an mail whenever this alerts run.My requirement is run it daily and the output to the mail in csv format .
My search is returning the values when running .But the alert is not triggering when the number of result is greater than zero.

0 Karma
1 Solution

nickhills
Ultra Champion

I think it maybe helpful if you can provide some sample data, but let me give this a go anyway:

If I have understood, you have a search which generates a table of results. You want to trigger an alert if any field in the table is empty?

<your search> |table _time <your field>

What you can do is fill empty fields with a known value, which you can then search for, so your search would now be

<your search> |table _time <your field>|fillnull value="Data Missing"|search <your field>="Data Missing"

This will now render you a table of rows only where a field is missing.
An alert >0 can now be set as a threshold

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

I think it maybe helpful if you can provide some sample data, but let me give this a go anyway:

If I have understood, you have a search which generates a table of results. You want to trigger an alert if any field in the table is empty?

<your search> |table _time <your field>

What you can do is fill empty fields with a known value, which you can then search for, so your search would now be

<your search> |table _time <your field>|fillnull value="Data Missing"|search <your field>="Data Missing"

This will now render you a table of rows only where a field is missing.
An alert >0 can now be set as a threshold

If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...