Solved: alert on zero result didn't work as expected

raindrop18 · ‎06-02-2014

I have this string and give me a correct count number but when I tried set on alert keep sending me false alert. my objective is to get alert when number of result on my case "logged in users" are zero for last 30min.

                    index="mysite" sourcetype="logged in users" | stats count

                  Earliest:-15m
                  Latest:now
                  Cron Expression:*/30 * * * *
                  Trigger if number of results: is less than 1

also tried equal to "0"

but keep getting alert, when I checked the search actually there are 100 results.

thanks.

somesoni2 · ‎06-02-2014

The query that you're using will always return one row.

    index="mysite" sourcetype="logged in users" | stats count

Output:

Count
------
countValue

countValue=0 if there are no rows in the sourcetype.
Just get rid of "|stats" in your alert OR use alert based on count field value.

View solution in original post

somesoni2 · ‎06-02-2014

The query that you're using will always return one row.

    index="mysite" sourcetype="logged in users" | stats count

Output:

Count
------
countValue

countValue=0 if there are no rows in the sourcetype.
Just get rid of "|stats" in your alert OR use alert based on count field value.

alert on zero result didn't work as expected

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)