Reporting

mail when no result comes

Motivator

i want to get an email when no result comes for a specific query. But, whenever some problem occurs in Splunk, unfortunately i am getting an email.

Could you please help me to fix this issue?

0 Karma

Motivator

still i amfacing this issue

0 Karma

Motivator

Could anyone please help me in this issue

0 Karma

Motivator

still waiting for the result

0 Karma

Motivator

Could anyone please help...
we are still facing the issue

Contributor

Try setting custom alerts which will trigger only when results are zero. In the alert actions tab.

0 Karma

Motivator

where that present?

0 Karma

Contributor

Okay, you would receive an email if there is an infrastructural issue with Splunk due to which searching and indexing operations get impacted. That is how it works, You might have to use this for better validity :

| eval delay = _indextime - _time

If there is a delay in indexing and the search results are triggering due to that, you can avoid those by using the above command in your search.

0 Karma

Motivator

can i use this query directly in the alert?

basic search | table host

how to modify this query with your example

0 Karma

Motivator

Could you please provide an update

0 Karma

Motivator

i am still facing for the response

0 Karma

Contributor

Tweak the query as stated. It would help, there is not fixed answer for this as the query is different w.r.t. data ingested.

0 Karma

Motivator

like this...????
basic search | table host | eval delay = _indextime - _time

0 Karma

Contributor

Hi @logloganathan,

May be you can try to modify your query and have the trigger condition as when the count=0 and you don't have a "splunk restart" message in _internal index

Thank you!

0 Karma

Motivator

Hi Mousumi,

Thanks for your response

Could you please provide example query

Thanks
Loganathan

0 Karma

Super Champion

it trigger the alert when the table less than 1
but whenever splunk not getting any data, it triggering the false alert
when the table result is less than 1 means, you are checking if the result event count is 0.

and whenever splunk not getting any data, means, the result is also zero.. and that should trigger the alert, right. how you say that its a false alert?!?!

0 Karma

Motivator

yes you are correct, it is due to splunk issue.some time splunk restart happen then i am getting these alert

0 Karma

Super Champion

so, pls try to adjust your query so that it will create a known number of results.. and when that known number of result is not coming, you can trigger an alert.

0 Karma

Legend

@logloganathan what is your current query for Alert and what is your Alert Trigger condition?

Also please explain some problem occurs as to what kind of problem/s?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Motivator

Hi Nikenilay,

thanks for your response!!

i used very simple

index=ABC source=XYZ "somefindinfcommand" | stats count by source _time

it trigger the alert when the table less than 1

but whenever splunk not getting any data, it triggering the false alert

0 Karma

Splunk Employee
Splunk Employee

Hi @logloganathan,

Could you give us some more context for this problem? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.

Thanks for posting!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!