Alert triggering if there is we see "results not f...

annep8326 · ‎01-25-2019

Sometimes there are problems in loading splunk dashboards (example: "results not found" Count shows "0" etc). Trying to alert team if there any issues in Splunk. Please help how can we achieve it?

woodcock · ‎01-25-2019

You can add this to your panels' search SPL:

| appendpipe [
  stats count
| where count==0
| rename COMMENT1of3 AS "Splunk sendemail ALWAYS sends email, even when no results found; we address this with 2 settings:"
| rename COMMENT2of3 AS "First, we put 'null()' in 'to' header when no results; this causes 'sendemail' to error."
| rename COMMENT3of3 AS "Last, we use 'graceful=true' so that the search does not log any error for that."
| eval valueForToHeader=if(isnotnull(count), "YourAdminEmailGoesHere@YourCompany.com", null())
| sendemail
    to=$result.valueForToHeader$
    graceful=true
| rename COMMENT AS "Throw away these events so as not to pollute the regular search events"
| where count != 0]

Alert triggering if there is we see "results not found" Count shows "0" in splunk dashboards.

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Are you a member of the Splunk Community?

Alert triggering if there is we see "results not found" Count shows "0" in splunk dashboards.

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency