Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to set up an alert with If else condition in search?

bosseres
Contributor
‎08-11-2022 04:23 AM

Hello everyone,

I want to make search that searches events in index1, and if it finds event, search should take field from it, and make search with this field in another one index. If there are 0 events with this field - then alert. It is possible?

Labels (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-11-2022 05:13 AM

Yes, first set up a report which find the results you want, then save it as an alert that is triggered if there are no results.

<search second index> [<search first index> | dedup field | fields field]
Reply

bosseres
Contributor
‎08-11-2022 09:02 AM

and what if I need to alert only if my subsearch find events in first index? 

I mean if there are events in index1, and no events in index2 - alert

No events in index1 and no events in index2 - no alert?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-11-2022 11:27 AM

Essentially, the subsearch is acting as a filter on the outer search - if the filter has no rows, then you should ensure that the outer search returns event (which it should otherwise you have nothing to filter anyway) - therefore, it should be OK - try it and see.

Reply

bosseres
Contributor
‎08-14-2022 11:53 PM

I didn't quite get your point, you suggest to create report which find event in index1, and after by them find events in index2, what need to create alert?

and I didn't get why it will work if there are no events in index1

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-15-2022 01:00 AM

You need a single report to create the alert from

Here is a runanywhere example of what I mean

``` Create 20 events ```
| makeresults count=20
``` Each with a random letter A-G ```
| eval field=mvindex(split("ABCDEFG",""),random()%7)
``` This represents your data set for your outer search ```
| search
    ``` Filter the search using your inner search to return the field value you are looking for ```
    [| makeresults
    | fields - _time
    ``` In this case, the field value found is a random letter A-H ```
    | eval field=mvindex(split("ABCDEFGH",""),random()%8)
    ``` This will return zero rows if H is found by the inner search ```
    | where match("ABCDEFG",field)
    | appendpipe
        [stats count
        | where count = 0
        ``` If there are zero rows from the inner search, set the field value to * ```
        | eval field="*"]
    | fields field]

Run this a few times to see different results due to randomness of the dataset

You should see that sometimes you get only events with the same letter - this represents finding the value from the inner search in the outer search

Sometimes you will get events with all the letters - this represents finding no rows in the inner search

Sometimes you will get zero rows - this represents finding a value in the inner search which is not in the outer search.

If you set an alert based on the report returning zero rows, this is the third condition, which I think is the one you are interested in.

If this is not what you are after, please explain what the difference is

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...