Solved: Re: Set count to 0 if no results found in splunk a...

sanchitlohia · ‎03-19-2014

I am using a splunk alert with search option as

index="ht-prod*" host=*htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype

Alert Condition is selected as:
"If custom condition is met"
search count < 20

Problem is when above search returns no results then no alert is triggered. What I want to do is to trigger alert if the above search returns no result.

aelliott · ‎03-19-2014

fillnull may help you with this(or not):
http://answers.splunk.com/answers/91877/show-zero-when-no-results

This query may help:
index="ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | appendpipe [ stats count | where count==0]

View solution in original post

niketn · ‎11-03-2016

Alternatively you can also create a separate alert with the following alert condition:

Trigger Alert when : Number of results
is equal to : 0

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

aelliott · ‎03-19-2014

fillnull may help you with this(or not):
http://answers.splunk.com/answers/91877/show-zero-when-no-results

This query may help:
index="ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | appendpipe [ stats count | where count==0]

trueclicks · ‎11-03-2016

Thanks you. It is working.

nawazns5038 · ‎01-25-2017

yes, then what do you keep the alert condition it give zero every time the query is run.

sanchitlohia · ‎03-19-2014

Thankyou so much it worked.. 🙂

aelliott · ‎03-19-2014

index="ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | appendpipe [ stats count | where count==0]

Try something like this

swarnkar · ‎08-31-2016

Superb..it works great.

sanchitlohia · ‎03-19-2014

I looked at the link , still couldn't figure out how to modify search string to achieve this. Sorry I am very new to splunk.

sanchitlohia · ‎03-19-2014

I already gave it a try but it did not work . I was using the search like

ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | fillnull

Ya you are right it only works the search returns one event.

aelliott · ‎03-19-2014

may also have to do something like this to return "something" when there are no results:
http://answers.splunk.com/answers/78124/No-results-found,-I-want-to-show-other-message%EF%BC%81%EF%B...

aelliott · ‎03-19-2014

guess this only works if your search returns one event

nawazns5038 · ‎01-25-2017

yes, then what do you keep the alert condition ,it gives zero every time the query is run.

Set count to 0 if no results found in splunk alert

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)