Reporting
Highlighted

Script for a scheduled report not called if there are no results

Engager

My goal is to create some CloudWatch metrics from Splunk reports that run periodically. So I've created a report, scheduled it to be run every N minutes, send e-mail to me and run a script that will push values to CloudWatch.

The problem: If reports yields no results e-mail notification and script execution is not triggered. Is this behaviour by design or it could be changed with some option?

Thanks!

Update: Please see the comments for the accepted answer for the workarounds.

0 Karma
Highlighted

Re: Script for a scheduled report not called if there are no results

SplunkTrust
SplunkTrust

This is by design. Both the email and script execution are form of alert trigged, so you don't want to get alerted if there is nothing wrong, correct?

It all depends upon the alert condition, which I believe you've set as "if number of event >0". If you want to have an email sent and script executed regardless of the search result, then choose "always".

View solution in original post

Highlighted

Re: Script for a scheduled report not called if there are no results

Engager

Yep, for alerts this logic seems to be completely valid, but I'm talking about reports, not alerts.

Another thing: In my Splunk installation for alarms I have only the following options:

  • Number of Results
  • Number of Hosts
  • Number of Sources
  • Custom

There is no "Always" option.

0 Karma
Highlighted

Re: Script for a scheduled report not called if there are no results

SplunkTrust
SplunkTrust

Conceptually both Reports and Alerts are scheduled saved search only. The Splunk has done logical categorization to separate informative report vs actionable reports.

You should be able to see all alert options by going to Settings->Searches, reports, and alerts from top right menu bar.
Let me know the version that you're using in case you don't the options.

0 Karma
Highlighted

Re: Script for a scheduled report not called if there are no results

SplunkTrust
SplunkTrust

Also, another option that would resolve this would be to use the sendemail command at the end of the search, instead of selecting email send option from Report menu. The command will always send an email event though there are no results. See more details here.
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Sendemail

0 Karma
Highlighted

Re: Script for a scheduled report not called if there are no results

Engager

Thanks for pointing me to Settings -> Searches, reports and alerts, I have found the needed option to trigger alert always there. Can you make a answer from this comment, so I will be able to flag it as resolved?

There is another possible workaround: it is possible to append | stats count as Total in the end of the search. So there will be always one row of data.

0 Karma