I have a saved search, that starts with a dbquery
| dbquery, then does some transformations and ends with a
When I run this search manually, there are resulting events and all results go to the "Statistics" tab.
I want to monitor, if indeed data was collected by my saved search.
This does not do the trick:
counttype = number of events quantity = 1 relation = less than
simply because there are no resulting events.
Is there a way to trigger an alert based on the number of rows in the "Statistics" tab?
When you run the Splunk Search that you want an alert for go to the top right and save as. There is an option for Save as Alert. The options include the count of the rows and lots of other options.
Here is an example: