Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is alert not triggering as expected?

Vani_26
Path Finder
‎11-03-2022 08:13 AM

Hi, i got the below query, and alert should get triggered only when data is not avaiable from any one of the host_ips

i gave the time range as 24 hrs to now and alert condition = o and corn expression */30 * * * *

i am getting mail for every 30 mins, even if data is available.

index=advcf request=* host IN(abgc, efgh, jhty, hjyu,kjnb)
| eval event_ct=1
| append [| makeresults 
    | eval host="abgc, efgh, jhty, hjyu, kjnb"
    | rex field=host mode=sed "s/\s+//g"
    | eval host=split(host,",")
    | mvexpand host
    | eval event_ct=0
    ]
| stats sum(event_ct) AS event_ct BY host
| where event_ct=0

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-03-2022 05:20 PM

The test for zero is already in the SPL

| where event_ct=0

so you want the alert to trigger when the SPL finds a zero count for a host.  Therefore, trigger when the number of results is not zero.

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-03-2022 09:21 AM

There doesn't appear to be anything wrong with your search - can you share your alert configuration?

0 Karma
Reply
Solved! Jump to solution

Vani_26
Path Finder
‎11-03-2022 09:36 AM

alert configuration means, like what you want me to share.???

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-03-2022 09:43 AM

Something like this

ITWhisperer_0-1667493763025.png

 

0 Karma
Reply
Solved! Jump to solution

Vani_26
Path Finder
‎11-03-2022 10:45 AM

Vani_26_0-1667497496055.png

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-03-2022 11:53 AM

I believe you want the alert to trigger is the number of results is NOT zero.  That is the error condition.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Vani_26
Path Finder
‎11-03-2022 12:17 PM


My requirement is that i should receive the mail when no data is available in the servers.
So my condition should be equal to 0 right???

Correct me if i am wrong.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-03-2022 05:20 PM

The test for zero is already in the SPL

| where event_ct=0

so you want the alert to trigger when the SPL finds a zero count for a host.  Therefore, trigger when the number of results is not zero.

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Vani_26
Path Finder
‎11-03-2022 06:38 PM

thank you, it worked

0 Karma
Reply
Solved! Jump to solution

Vani_26
Path Finder
‎11-03-2022 05:31 PM

So in the alert configuration, i need to mention number of results  "is not equal to 0"
Please confirm.

Vani_26_0-1667521765928.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...