Solved: alert on zero result didn't work as expected

raindrop18 · ‎06-02-2014

I have this string and give me a correct count number but when I tried set on alert keep sending me false alert. my objective is to get alert when number of result on my case "logged in users" are zero for last 30min.

                    index="mysite" sourcetype="logged in users" | stats count

                  Earliest:-15m
                  Latest:now
                  Cron Expression:*/30 * * * *
                  Trigger if number of results: is less than 1

also tried equal to "0"

but keep getting alert, when I checked the search actually there are 100 results.

thanks.

somesoni2 · ‎06-02-2014

The query that you're using will always return one row.

    index="mysite" sourcetype="logged in users" | stats count

Output:

Count
------
countValue

countValue=0 if there are no rows in the sourcetype.
Just get rid of "|stats" in your alert OR use alert based on count field value.

View solution in original post

somesoni2 · ‎06-02-2014

The query that you're using will always return one row.

    index="mysite" sourcetype="logged in users" | stats count

Output:

Count
------
countValue

countValue=0 if there are no rows in the sourcetype.
Just get rid of "|stats" in your alert OR use alert based on count field value.

alert on zero result didn't work as expected

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation