Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get alert when event count of an index is zero

aaa2324
Explorer
‎06-07-2021 05:10 AM

Hi Team,

I am trying to setup alert for every 60 min in Splunk whenever the event count of index is zero is encountered.

kindly help with the query.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2021 05:16 AM

Hi @aaa2324,

let me understand: you want an alert that fires when in an hour there isn't any event in an index, is it correct?

If this is your need, please try something like this:

index=your_index earliest=-60m

then you have to set a condition when results=0

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...
Top