Reporting

mail when no result comes

logloganathan
Motivator

i want to get an email when no result comes for a specific query. But, whenever some problem occurs in Splunk, unfortunately i am getting an email.

Could you please help me to fix this issue?

0 Karma

logloganathan
Motivator

still i amfacing this issue

0 Karma

logloganathan
Motivator

Could anyone please help me in this issue

0 Karma

logloganathan
Motivator

still waiting for the result

0 Karma

logloganathan
Motivator

Could anyone please help...
we are still facing the issue

vr2312
Builder

Try setting custom alerts which will trigger only when results are zero. In the alert actions tab.

0 Karma

logloganathan
Motivator

where that present?

0 Karma

vr2312
Builder

Okay, you would receive an email if there is an infrastructural issue with Splunk due to which searching and indexing operations get impacted. That is how it works, You might have to use this for better validity :

| eval delay = _indextime - _time

If there is a delay in indexing and the search results are triggering due to that, you can avoid those by using the above command in your search.

0 Karma

logloganathan
Motivator

can i use this query directly in the alert?

basic search | table host

how to modify this query with your example

0 Karma

logloganathan
Motivator

Could you please provide an update

0 Karma

logloganathan
Motivator

i am still facing for the response

0 Karma

vr2312
Builder

Tweak the query as stated. It would help, there is not fixed answer for this as the query is different w.r.t. data ingested.

0 Karma

logloganathan
Motivator

like this...????
basic search | table host | eval delay = _indextime - _time

0 Karma

MousumiChowdhur
Contributor

Hi @logloganathan,

May be you can try to modify your query and have the trigger condition as when the count=0 and you don't have a "splunk restart" message in _internal index

Thank you!

0 Karma

logloganathan
Motivator

Hi Mousumi,

Thanks for your response

Could you please provide example query

Thanks
Loganathan

0 Karma

inventsekar
SplunkTrust
SplunkTrust

it trigger the alert when the table less than 1
but whenever splunk not getting any data, it triggering the false alert
when the table result is less than 1 means, you are checking if the result event count is 0.

and whenever splunk not getting any data, means, the result is also zero.. and that should trigger the alert, right. how you say that its a false alert?!?!

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

logloganathan
Motivator

yes you are correct, it is due to splunk issue.some time splunk restart happen then i am getting these alert

0 Karma

inventsekar
SplunkTrust
SplunkTrust

so, pls try to adjust your query so that it will create a known number of results.. and when that known number of result is not coming, you can trigger an alert.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

niketn
Legend

@logloganathan what is your current query for Alert and what is your Alert Trigger condition?

Also please explain some problem occurs as to what kind of problem/s?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

logloganathan
Motivator

Hi Nikenilay,

thanks for your response!!

i used very simple

index=ABC source=XYZ "somefindinfcommand" | stats count by source _time

it trigger the alert when the table less than 1

but whenever splunk not getting any data, it triggering the false alert

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

Hi @logloganathan,

Could you give us some more context for this problem? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.

Thanks for posting!

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...