Alerting

Why my alerts are sending email if the search result is zero?

maximusdm
Communicator

I have set up a bunch of alerts to run every 5min with a time range of the last 15min.
Every 5 min I get an email from the alert but when I run the search query it returns me ZERO events.
I did specified to only send emails of results > 0.
So I dont know why this is happening. Here is a screen shot of the email I receive showing (1) event !!??!? why?
Thanks

alt text

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Try to update the alert to show the events inline and/or csv attachment in the email (select appropriate checkboxes in 'Alert Action' dialog). This way you'd see what Splunk is seeing to trigger alert.

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Since your question is resolved, please accept somesoni2's comment/answer that led to the resolution.

0 Karma

somesoni2
Revered Legend

Try to update the alert to show the events inline and/or csv attachment in the email (select appropriate checkboxes in 'Alert Action' dialog). This way you'd see what Splunk is seeing to trigger alert.

0 Karma

maximusdm
Communicator

oh I see...if you look at my query it returns the results into a variable called "Occurences" . So even though results returned me ZERO, this option is counting that as a 1 event. Really? that is strange.

0 Karma

somesoni2
Revered Legend

I didn't look at that. The stats count would give you a result with value of count as 0 if there are no rows. What you should do it to add a where clause in the query itself (e.g. ..| where Occurrences>0 ) to check for count and then change the alert condition to trigger 'when number of events are greater than 0'.

0 Karma

niketnilay
Legend

As far as your base search is returning events stats count will give default result as 0. Which implies that your alert will always be fired is the Trigger Conditions is Number of Results>0. As @somesoni2 mentioned, you either need to add final pipe as| search Occurences>0 to your alert search or else change your Alert Trigger conditions to Custom instead of Number of Results and then set the Custom alert condition as | search Occurences>0

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

somesoni2
Revered Legend

If you wish to show the trigger condition in your alert email, I would go with @niketnilay's suggestion of using custom trigger condition.

0 Karma

maximusdm
Communicator

yeah that is what I did: search Occurences > xx
but by following your suggestion somesoni2 it pointed me out to the answer.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...