Solved: custom trigger condition

meenu_2017 · ‎04-08-2019

Qn on custom trigger condition for alerts.

Does the secondary search executes if the primary search returns no results?

woodcock · ‎04-08-2019

Of course it does. The empty set is still a set and | where count==0 is a valid thing to use on such a set as a trigger. In any case, IMHO, best practice is to NEVER use the thresholding function; instead always code your thresholds in SPL and use number of events and is greater than 0.

View solution in original post

woodcock · ‎04-08-2019

Of course it does. The empty set is still a set and | where count==0 is a valid thing to use on such a set as a trigger. In any case, IMHO, best practice is to NEVER use the thresholding function; instead always code your thresholds in SPL and use number of events and is greater than 0.

niketn · ‎04-08-2019

@meenu_2017 what do you mean by primary search and secondary search? Please give example. If possible also what you are trying to achieve. Please mask/anonymize any sensitive information before posting code or data!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ss026381 · ‎04-08-2019

I think every filter after pipe only works on your primary search results. If you have 0 results for your primary search, it will just give you no result.

I am not 100% sure though.

custom trigger condition

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services