Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Set count to 0 if no results found in splunk alert

sanchitlohia
Explorer
‎03-19-2014 09:10 AM

I am using a splunk alert with search option as

index="ht-prod*" host=*htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype

Alert Condition is selected as:
"If custom condition is met"
search count < 20

Problem is when above search returns no results then no alert is triggered. What I want to do is to trigger alert if the above search returns no result.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aelliott
Motivator
‎03-19-2014 09:11 AM

fillnull may help you with this(or not):
http://answers.splunk.com/answers/91877/show-zero-when-no-results

This query may help:
index="ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | appendpipe [ stats count | where count==0]

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎11-03-2016 02:24 AM

Alternatively you can also create a separate alert with the following alert condition:

Trigger Alert when : Number of results
is equal to : 0

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

aelliott
Motivator
‎03-19-2014 09:11 AM

fillnull may help you with this(or not):
http://answers.splunk.com/answers/91877/show-zero-when-no-results

This query may help:
index="ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | appendpipe [ stats count | where count==0]

Reply
Solved! Jump to solution

trueclicks
Explorer
‎11-03-2016 01:06 AM

Thanks you. It is working.

0 Karma
Reply
Solved! Jump to solution

nawazns5038
Builder
‎01-25-2017 10:47 PM

yes, then what do you keep the alert condition it give zero every time the query is run.

0 Karma
Reply
Solved! Jump to solution

sanchitlohia
Explorer
‎03-19-2014 09:38 AM

Thankyou so much it worked.. 🙂

0 Karma
Reply
Solved! Jump to solution

aelliott
Motivator
‎03-19-2014 09:23 AM

index="ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | appendpipe [ stats count | where count==0]

Try something like this

0 Karma
Reply
Solved! Jump to solution

swarnkar
Explorer
‎08-31-2016 11:31 PM

Superb..it works great.

0 Karma
Reply
Solved! Jump to solution

sanchitlohia
Explorer
‎03-19-2014 09:18 AM

I looked at the link , still couldn't figure out how to modify search string to achieve this. Sorry I am very new to splunk.

0 Karma
Reply
Solved! Jump to solution

sanchitlohia
Explorer
‎03-19-2014 09:14 AM

I already gave it a try but it did not work . I was using the search like

ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | fillnull

Ya you are right it only works the search returns one event.

0 Karma
Reply
Solved! Jump to solution

aelliott
Motivator
‎03-19-2014 09:13 AM

may also have to do something like this to return "something" when there are no results:
http://answers.splunk.com/answers/78124/No-results-found,-I-want-to-show-other-message%EF%BC%81%EF%B...

0 Karma
Reply
Solved! Jump to solution

aelliott
Motivator
‎03-19-2014 09:12 AM

guess this only works if your search returns one event

0 Karma
Reply
Solved! Jump to solution

nawazns5038
Builder
‎01-25-2017 10:45 PM

yes, then what do you keep the alert condition ,it gives zero every time the query is run.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...