Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- alert triggering thought no result is found when u...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alert triggering thought no result is found when using a query
I have a very basic query. I want to trigger alert when count =0.
Using a very basic query like :
index=rxc sourcetype=rxcapp earliest=-1h@h latest=@h|stats count(eval(Code=200) as Success|fillnull value=0| table Success | where Success=0
If I am using this query in my splunk no result is returned to me as there were more than 0 success in past one hour. But when I put it on git and want my self alerted only in case if in last one hour count is 0 then it is triggering alert even though there are more than 0 counts in last one hour. Do not know what is wrong with this.
Used query the below way also but still same problem:
index=rxc sourcetype=rxcapp earliest=-1h@h latest=@h|stats count(eval(Code=200)) as Success| eval SuccessCount=0| eval pram = if((Count=0),"yes","no")|where pram="yes"|table SuccessCount
No idea why this simple query is creating problem , can anyone help me with this,
objective is very simple , to alert when count =0 in past one hour. I know this is very basic but cannot find the problem here.
using something like below in github:
enableSched = 1
cron_schedule = 8 */1 * * *
alert.suppress = 0
alert.suppress.period = 15
realtime_schedule = 1
counttype = number of events
action.email.inline = 1
action.email.sendresults = 1
action.email.to = xx
action.email.subject = xx
action.email.maxresults = 999
dispatch.earliest_time=-1h@h
dispatch.latest_time=@h
quantity = 0
relation = greater than
search = index=rxc sourcetype=rxcapp earliest=-1h@h latest=@h|stats count(eval(Code=200) as Success|fillnull value=0| table Success | where Success=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is you're searching for something that is not there, which Splunk can't do. I suggest you remove the |where Success=0 command and have your alert trigger when the number of results is zero.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@richgalloway I understand that this query is wrong in terms I'm searching for something which is not there and know correct solution too. But the question is still there in my mind that why alert is triggering when I have events every hour where code is 200
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
editing the second way I am using query:
index=rxc sourcetype=rxcapp earliest=-1h@h latest=@h|stats count(eval(Code=200)) as Success| eval SuccessCount=0| eval pram = if((Success=0),"yes","no")|where pram="yes"|table SuccessCount
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
