Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is alert fired when subsearch fails? That would be assuming (and wrong).

the_wolverine
Champion
‎01-15-2015 02:48 PM

I have a search that is populated by a lookup file and filtering out matches returned by subsearch. When the subsearch fails the alert fires. This is the wrong behavior! The alert should not fire:

Query:

|inputlookup the_list.csv | search NOT [ search index=main | dedup host | fields host ]

When my sub search fails, evidence:
Audit:[timestamp=01-11-2015 00:00:47.651, user=n/a, action=search, info=failed, search_id='subsearch_scheduler_USERNAMEsearch_XXXXXXXXXXXXXX_at_1420934400_28791_1420934427.1', total_run_time=2.97, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1420934427, api_et=1420920000.000000000, api_lt=1420934400.000000000, search_et=1420920000.000000000, search_lt=1420934400.000000000, is_realtime=0, savedsearch_name=""][n/a]

The alert fires! This is the wrong behavior.

0 Karma
Reply

tiagofbmm
Influencer
‎03-11-2018 11:17 AM

What is the alert based on? Number of events?

0 Karma
Reply

valiquet
Contributor
‎03-10-2018 03:40 PM

Can you run ?

|inputlookup the_list.csv
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...