- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How do you create an alert for when zero event...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you create an alert for when zero events occur continuously over a span of time?
Hello,
I have a search based on the following conditions
index="xxx" sourcetype="xxxxx" uri_path="/xxx/xxx/xxxx" http_method=POST http_referrer="*www.xxxxx.com*" response_code=201 | timechart count by uri_path
I would like to create an alert when the count is zero for 20 minutes. Essentially, it alerts me that no events have occurred for 20 minutes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will have to define the span in timechart for 20 minutes. And also fillnull with value=0 and then do where count=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the query suggestions - I have applied them:
timechart span=20min count by uri_path | fillnull value=0 | where count=0
Do you have any suggestion for the Alert setup? The Current setup is:
Alert Type: Real-time
Trigger alert when Number of Results is equal to 0 in 20 minutes trigger once, suppress triggering for 20 minutes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best i can tell you is to create an alert like this :
your search | stats count by uri_path | append [ | inputlookup uri_path_lookup.csv | ] | eventstats count as eventcount by uri_path | fillnull count=0| where NOT ( eventcount=2 AND count=0) | where count=0
Basically you create a lookup which has all the possible uri_path and the above search will show you the uri_path where there was no events for last 20 minutes. Run this Alert search every 20 minutes cron schedule ( */20 * * * *) and look for last 20 minutes data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just add the time range and trigger for no results.
index="xxx" sourcetype="xxxxx" uri_path="/xxx/xxx/xxxx" http_method=POST http_referrer="*www.xxxxx.com*" response_code=201 earliest=-20m latest=now
| timechart count by uri_path
Trigger alert when: Number of results
Is equal to: 0
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
