Alerting

Why my alerts are sending email if the search result is zero?

maximusdm
Communicator

I have set up a bunch of alerts to run every 5min with a time range of the last 15min.
Every 5 min I get an email from the alert but when I run the search query it returns me ZERO events.
I did specified to only send emails of results > 0.
So I dont know why this is happening. Here is a screen shot of the email I receive showing (1) event !!??!? why?
Thanks

alt text

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try to update the alert to show the events inline and/or csv attachment in the email (select appropriate checkboxes in 'Alert Action' dialog). This way you'd see what Splunk is seeing to trigger alert.

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Since your question is resolved, please accept somesoni2's comment/answer that led to the resolution.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try to update the alert to show the events inline and/or csv attachment in the email (select appropriate checkboxes in 'Alert Action' dialog). This way you'd see what Splunk is seeing to trigger alert.

0 Karma

maximusdm
Communicator

oh I see...if you look at my query it returns the results into a variable called "Occurences" . So even though results returned me ZERO, this option is counting that as a 1 event. Really? that is strange.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I didn't look at that. The stats count would give you a result with value of count as 0 if there are no rows. What you should do it to add a where clause in the query itself (e.g. ..| where Occurrences>0 ) to check for count and then change the alert condition to trigger 'when number of events are greater than 0'.

0 Karma

niketn
Legend

As far as your base search is returning events stats count will give default result as 0. Which implies that your alert will always be fired is the Trigger Conditions is Number of Results>0. As @somesoni2 mentioned, you either need to add final pipe as| search Occurences>0 to your alert search or else change your Alert Trigger conditions to Custom instead of Number of Results and then set the Custom alert condition as | search Occurences>0

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

somesoni2
SplunkTrust
SplunkTrust

If you wish to show the trigger condition in your alert email, I would go with @niketnilay's suggestion of using custom trigger condition.

0 Karma

maximusdm
Communicator

yeah that is what I did: search Occurences > xx
but by following your suggestion somesoni2 it pointed me out to the answer.

0 Karma
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...