Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

When stats command is used in the query and statistics results show no results found , will alert be sent?

gu255363
New Member
‎05-03-2018 08:43 AM

When I run a query using stats count , I can see Events count as "636 events (4/26/18 8:00:00.000 AM to 5/3/18 8:32:45.000 AM)"

but when i open the Events tab , it shows Your search did not return any events because you are in Fast Mode. Search in Verbose Mode to see the events. The same message displays for Smart mode as well.

and in all the 3 modes , Statistics count is zero.

In this case , an scheduled email alert for the query , wouldn't be triggered because Statistics count is zero? Is this correct?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-03-2018 09:45 AM

Whenever you use stats (or chart or timechart or ... or xyseries, etc.), your UI moves to the stats tab which means that the alert will also use that tab. So if your alert condition is Number of events > 0, it means on the stats tab. So the behavior is correct.

0 Karma
Reply

somesoni2
Revered Legend
‎05-03-2018 09:28 AM

It would depend upon the alert condition you've set while setting up the alert. If your alert conditions says "if number of result is greater than 0", then if stats count is zero, no alert will be fired.

The event count below the search bar shows the event count matched your search criteria, before aggregation. The count on "Statistics" tab would show the actual result returned by your full search. The alert condition uses the result count not the event count.

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-03-2018 09:26 AM

Yes, it's correct. 🙂
When for example your initial query contains results, but you're doing a | stats by somefield, and that somefield doesn't exist in any those events, you get 0 results. An alert that aims for more than 0 results would therefore not fire.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...