Dashboards & Visualizations

How do you create an alert for when zero events occur continuously over a span of time?

nathomas
New Member

Hello,

I have a search based on the following conditions

index="xxx" sourcetype="xxxxx" uri_path="/xxx/xxx/xxxx" http_method=POST http_referrer="*www.xxxxx.com*"  response_code=201 | timechart count by uri_path

I would like to create an alert when the count is zero for 20 minutes. Essentially, it alerts me that no events have occurred for 20 minutes.

0 Karma

macadminrohit
Contributor

You will have to define the span in timechart for 20 minutes. And also fillnull with value=0 and then do where count=0

0 Karma

nathomas
New Member

Thank you for the query suggestions - I have applied them:

timechart span=20min count by uri_path | fillnull value=0 | where count=0

Do you have any suggestion for the Alert setup? The Current setup is:

Alert Type: Real-time
Trigger alert when Number of Results is equal to 0 in 20 minutes trigger once, suppress triggering for 20 minutes.

0 Karma

macadminrohit
Contributor

Best i can tell you is to create an alert like this :

your search | stats count by uri_path | append [ | inputlookup uri_path_lookup.csv | ] | eventstats count as eventcount by uri_path | fillnull count=0| where NOT ( eventcount=2 AND count=0) | where count=0 

Basically you create a lookup which has all the possible uri_path and the above search will show you the uri_path where there was no events for last 20 minutes. Run this Alert search every 20 minutes cron schedule ( */20 * * * *) and look for last 20 minutes data.

0 Karma

anthonymelita
Contributor

Just add the time range and trigger for no results.

index="xxx" sourcetype="xxxxx" uri_path="/xxx/xxx/xxxx" http_method=POST http_referrer="*www.xxxxx.com*"  response_code=201 earliest=-20m latest=now
| timechart count by uri_path

Trigger alert when: Number of results
Is equal to: 0

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...