Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to Alert if missing field value?

Newser703
Explorer
‎07-11-2022 01:11 AM

Hello, I have an index that looks like that :

 

 

Server   Month       Number of connexions
---------------------------------------
  A     January            10
  B     January            12
  C     January            7
  A     February           5
  B     February           
  C     February           0

 

 

Let's say I sum the Number of connexions by Month, is there a way to raise an alert if a value is missing (here Server B in February) ?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-11-2022 03:57 AM

The main question is what do your results really look like.

Because if you do simple stats count splunk will not create a row in results when there are no events to aggregate. It will however produce a row of results with count of 0 if you use timechart.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2022 01:18 AM

Hi @Newser703,

could you share your search? so I can help you to define the firing condition.

Anyway, I suppose that if a value is missing you don't have logs from that source, maybe it could betetr to have an alert that immediately fires if you haven't logs and not after one month!

Ciao.

Giuseppe

0 Karma
Reply

Newser703
Explorer
‎07-11-2022 01:29 AM

The search is very simple, because the index already looks like the one I described. 

It's something like :

index=MyIndex
| where Month="January" OR Month="February"
| stats sum("Number of connexions") AS Sum BY Month

 

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2022 02:14 AM

Hi @Newser703,

this search cannot have the output you shared because there's also the server field,

Probably it should be something like this:

index=MyIndex
| where Month="January" OR Month="February"
| stats sum("Number of connexions") AS Sum BY Server Month

but if  you don't have a value for a server in a month, you don't have the entire row,

maybe you could have something like this:

index=MyIndex
| where Month="January" OR Month="February"
| Chart sum("Number of connexions") AS Sum OVER Server BY Month

But anyway you don't have the missing value ,

You could use a workaround:

index=MyIndex Month="January" OR Month="February"
| stats dc(Month) AS dc_month values(Month) AS Month BY Server
| where dc_month=1

This search has anly one limit: if the values of both months are missing.

Then anyway, you don't need to use where after the main search, it's always better (for performances) to put all the search conditions as left as possible.

Ciao.

Giuseppe

0 Karma
Reply

Newser703
Explorer
‎07-11-2022 02:27 AM

What I shared in the question is the base index, what I'm working with before using any command.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2022 03:11 AM

Hi @Newser703,

did my solution work for you?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...