email alert not sending when the condition is ""Nu... - Splunk Community

Alerting

I am having trouble with getting a email triggered for the following condition.
"Number of Results is = 0"
the search query is as follows.

index="xxxxx" sourcetype="syslog" earliest=-1d latest=now | stats count

the result of the search is :
count = 0 .

It is able to send other alerts.

You have to set Trigger alert when = Custom and the condition box below this to be count = 0. The other setting counts the number of rows returned which in your case will always be 1 (not 0 the way that you were thinking).

while reading the post, all looks fine..

maybe, verify the mail address.
try adding this adding one more action - "Add to Triggered Alerts", so that you will know the alert got triggered or not.
maybe, verify the Alert Schedule.
It is able to send other alerts. // you mean, other email alerts are working fine?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...