Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to Alert if missing field value?

Newser703
Explorer
‎07-11-2022 01:11 AM

Hello, I have an index that looks like that :

 

 

Server   Month       Number of connexions
---------------------------------------
  A     January            10
  B     January            12
  C     January            7
  A     February           5
  B     February           
  C     February           0

 

 

Let's say I sum the Number of connexions by Month, is there a way to raise an alert if a value is missing (here Server B in February) ?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-11-2022 03:57 AM

The main question is what do your results really look like.

Because if you do simple stats count splunk will not create a row in results when there are no events to aggregate. It will however produce a row of results with count of 0 if you use timechart.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2022 01:18 AM

Hi @Newser703,

could you share your search? so I can help you to define the firing condition.

Anyway, I suppose that if a value is missing you don't have logs from that source, maybe it could betetr to have an alert that immediately fires if you haven't logs and not after one month!

Ciao.

Giuseppe

0 Karma
Reply

Newser703
Explorer
‎07-11-2022 01:29 AM

The search is very simple, because the index already looks like the one I described. 

It's something like :

index=MyIndex
| where Month="January" OR Month="February"
| stats sum("Number of connexions") AS Sum BY Month

 

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2022 02:14 AM

Hi @Newser703,

this search cannot have the output you shared because there's also the server field,

Probably it should be something like this:

index=MyIndex
| where Month="January" OR Month="February"
| stats sum("Number of connexions") AS Sum BY Server Month

but if  you don't have a value for a server in a month, you don't have the entire row,

maybe you could have something like this:

index=MyIndex
| where Month="January" OR Month="February"
| Chart sum("Number of connexions") AS Sum OVER Server BY Month

But anyway you don't have the missing value ,

You could use a workaround:

index=MyIndex Month="January" OR Month="February"
| stats dc(Month) AS dc_month values(Month) AS Month BY Server
| where dc_month=1

This search has anly one limit: if the values of both months are missing.

Then anyway, you don't need to use where after the main search, it's always better (for performances) to put all the search conditions as left as possible.

Ciao.

Giuseppe

0 Karma
Reply

Newser703
Explorer
‎07-11-2022 02:27 AM

What I shared in the question is the base index, what I'm working with before using any command.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2022 03:11 AM

Hi @Newser703,

did my solution work for you?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...