Alerting

Set count to 0 if no results found in splunk alert

Explorer

I am using a splunk alert with search option as

index="ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype

Alert Condition is selected as:
"If custom condition is met"
search count < 20

Problem is when above search returns no results then no alert is triggered. What I want to do is to trigger alert if the above search returns no result.

Tags (1)
0 Karma
1 Solution

Motivator

fillnull may help you with this(or not):
http://answers.splunk.com/answers/91877/show-zero-when-no-results

This query may help:
index="ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | appendpipe [ stats count | where count==0]

View solution in original post

SplunkTrust
SplunkTrust

Alternatively you can also create a separate alert with the following alert condition:

Trigger Alert when : Number of results
is equal to : 0

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Motivator

fillnull may help you with this(or not):
http://answers.splunk.com/answers/91877/show-zero-when-no-results

This query may help:
index="ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | appendpipe [ stats count | where count==0]

View solution in original post

Explorer

Thanks you. It is working.

0 Karma

Builder

yes, then what do you keep the alert condition it give zero every time the query is run.

0 Karma

Explorer

Thankyou so much it worked.. 🙂

0 Karma

Motivator

index="ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | appendpipe [ stats count | where count==0]

Try something like this

0 Karma

Explorer

Superb..it works great.

0 Karma

Explorer

I looked at the link , still couldn't figure out how to modify search string to achieve this. Sorry I am very new to splunk.

0 Karma

Explorer

I already gave it a try but it did not work . I was using the search like

ht-prod" host=htos sourcetype="ht/prod/htons/opt" OR sourcetype="ht/stge/htons/opt" | stats count by sourcetype | fillnull

Ya you are right it only works the search returns one event.

0 Karma

Motivator

may also have to do something like this to return "something" when there are no results:
http://answers.splunk.com/answers/78124/No-results-found,-I-want-to-show-other-message%EF%BC%81%EF%B...

0 Karma

Motivator

guess this only works if your search returns one event

0 Karma

Builder

yes, then what do you keep the alert condition ,it gives zero every time the query is run.

0 Karma