Solved: Splunk Alert query syntax

mike_k · ‎05-21-2021

I am just starting off with configuring up some Alerts in my Splunk environment.

One of the alerts that i have configured up as a test is to run a scheduled test once a day, looking to see whether any of the Cisco switches in my environment has restarted. I've configured up the following search:

index=<my_index> "%SYS-5-RESTART" | stats count

When using this as a simple search, this seems to work well, letting me know accurately if a switch has rebooted within the search time window. However with the alert that i have created from this search, it seems to be sending out an email regardless of the search result.

The Alert configuration i have used is as follows:

Alert Type: scheduled (run everyday at 5pm)
Expires 24 hours
Trigger alert when: Number of Results is greater than 0
Trigger: once
Trigger Actions: Send email

even today, when i used the above search term for the last 24 hours, it is coming up with a count of 0 and yet Splunk is still forwarding out an email at 5pm. Is there something that i am missing with the alert syntax?

Thanks,

ITWhisperer · ‎05-21-2021

Your search is returning a result (count = 0) - add "| where count > 0" to your search so results are only returned when there is something worth alerting

View solution in original post

ITWhisperer · ‎05-21-2021

Your search is returning a result (count = 0) - add "| where count > 0" to your search so results are only returned when there is something worth alerting

mike_k · ‎05-23-2021

thanks, that did the trick.

Splunk Alert query syntax

alert action

alert condition

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?