Alerting

splunk alert for no user activities + no alert if splunk is not getting populate

gnshah12345
Observer

I already have an alert setup if a user does not have activity. The alert is set with number of results = 0. However, we have situation when splunk forwarder did not send data because the underlying logs stopped populating. This created a false negative that user is not logging. How do I incorporate the scenario that if no logs are coming than no alert.
The current search as follows.
index=appl_index user="xyz"
I would check
index=appl_index | stats count | if (count=0,do not alert, else go with my current query)

Thanks in advance.

Tags (1)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@gnshah12345,

Try this. You may adjust the last condition according to your requirement.

index=appl_index |stats count(eval(user="xyz")) as userCount,count as total|where userCount>0 OR total < 1
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...