Alerting

Set count to 0 if no results found in splunk alert

sanchitlohia
Explorer

I am using a splunk alert with search option as

index="ht-prod*" host=*htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype

Alert Condition is selected as:
"If custom condition is met"
search count < 20

Problem is when above search returns no results then no alert is triggered. What I want to do is to trigger alert if the above search returns no result.

Tags (1)
0 Karma
1 Solution

aelliott
Motivator

fillnull may help you with this(or not):
http://answers.splunk.com/answers/91877/show-zero-when-no-results

This query may help:
index="ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | appendpipe [ stats count | where count==0]

View solution in original post

niketn
Legend

Alternatively you can also create a separate alert with the following alert condition:

Trigger Alert when : Number of results
is equal to : 0

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

aelliott
Motivator

fillnull may help you with this(or not):
http://answers.splunk.com/answers/91877/show-zero-when-no-results

This query may help:
index="ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | appendpipe [ stats count | where count==0]

trueclicks
Explorer

Thanks you. It is working.

0 Karma

nawazns5038
Builder

yes, then what do you keep the alert condition it give zero every time the query is run.

0 Karma

sanchitlohia
Explorer

Thankyou so much it worked.. 🙂

0 Karma

aelliott
Motivator

index="ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | appendpipe [ stats count | where count==0]

Try something like this

0 Karma

swarnkar
Explorer

Superb..it works great.

0 Karma

sanchitlohia
Explorer

I looked at the link , still couldn't figure out how to modify search string to achieve this. Sorry I am very new to splunk.

0 Karma

sanchitlohia
Explorer

I already gave it a try but it did not work . I was using the search like

ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | fillnull

Ya you are right it only works the search returns one event.

0 Karma

aelliott
Motivator

may also have to do something like this to return "something" when there are no results:
http://answers.splunk.com/answers/78124/No-results-found,-I-want-to-show-other-message%EF%BC%81%EF%B...

0 Karma

aelliott
Motivator

guess this only works if your search returns one event

0 Karma

nawazns5038
Builder

yes, then what do you keep the alert condition ,it gives zero every time the query is run.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...