Hi,
Need to create a Alert where if Search produces zero results then alert should be send , this should be checked every 15 mins. Is there any internal log file on which this alert can be created so that it doesn't create overhead on the system.
Hi
You can check the results given by an alert with the following:
index=_internal sourcetype="scheduler" search_type=scheduled savedsearch_name="Your alert name"
| where result_count=0
Hope it helps.