Why is alert not triggering when string value is e...

POR160893 · ‎06-12-2023

Hi,

I have a Splunk alert where the trigger condition should be:

search ABC == ""

, where ABC is a string field and the alert is only triggered for records with such values as empty.

However, no alert is triggered so far.

What can I do?

Thanks.

ITWhisperer · ‎06-12-2023

Try with where command

| where isnull(ABC) OR ABC==""

POR160893 · ‎06-12-2023

Hey,

The full search which this alert is based on is this:

index=XYZ
| eval _time = strptime(dv_sys_updated_on, "%Y-%m-%d")
| eval month=strftime(_time, "%m")
| eval quarter = case(
month>=2 AND month<=4, "Q1",
month>=5 AND month<=7, "Q2",
month>=8 AND month<=10, "Q3",
month>=11 OR month<=1, "Q4"
)
| eval year = if(month>=2, strftime(relative_time(now(), "@y+1y"), "%y"), strftime(now(), "%y"))
| eval quarter = "FY" . year . quarter
| search quarter =FY29

| dedup HGF

| eval assigned_user=if(RITM == "", "", assigned_user)
| fields _time, quarter, RITM,
| table _time, quarter, RITM

However, I am assuming one cannot put this entire query into the trigger condition for the alert?

ITWhisperer · ‎06-12-2023

The alert is essentially a report/search - the trigger is based on the results of the search - note that only the first result event is available to the trigger if you want to use fields from the search (as opposed to number of results, for example).

Why is alert not triggering when string value is empty?

alert action

alert condition

email

other

throttling

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?