Solved: Email Report Only When No Results

vwilson3 · ‎06-17-2020

Greetings,

I have a search string for the event and have been asked to figure out how to create a report that only emails if there were none of the events in a 24 hour period, looking back 35 days.

index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888"
| table _time host field1 field2 field3 field4

Thanks in advance for any suggestions!

boz_8058 · ‎06-17-2020

Save the search as an alert and then set the trigger to only send an email if the results are equal to 0.

View solution in original post

dmarling · ‎06-17-2020

I'm not 100% on your requirements. If you just want to alert when a there are zero events for anything that falls into the below query in a 24 hour period you can do it easily with this:

earliest=-35d@d latest=@d index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888"
| append 
    [ makeresults count=1]
| timechart span=1d count(host) as count
| where count=0

That will alert you if there is a single day with no events with that query. The append with makeresults ensures you never get "no results" back from the query. If you need it to be a rolling 24 hour period you can do it with this:

earliest=-35d@d latest=@d index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888"
| append 
    [ makeresults count=1]
| timechart span=1h count(host) as count
| streamstats sum(count) as 24hcount time_window=24h
| where '24hcount'=0

If you need something more complicated where you need it so any combination of fields in your table are not seen in a day you can do that with this:

index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888"
| eval ClownCar=host."|".field1."|".field2."|".field3."|".field4
| append 
    [ makeresults count=1]
| timechart span=1d limit=0 count(host) as count by ClownCar
| foreach *
    [eval NoEvents=mvappend(if('<<FIELD>>'=0, "<<FIELD>>", null()),NoEvents)]
| where isnotnull(NoEvents)
| fields _time NoEvents
| mvexpand NoEvents
| rex field=NoEvents "(?<host>[^\|]+)\|(?<field1>[^\|]+)\|(?<field2>[^\|]+)\||(?<field3>[^\|]+)\||(?<field4>[^\e]+)"
| fields - NoEvents

If you need that by a rolling 24 hour period you can do that with this:

index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888"
| eval ClownCar=host."|".field1."|".field2."|".field3."|".field4
| append 
    [ makeresults count=1]
| timechart span=1h limit=0 count(host) as count by ClownCar
| foreach *
    [eval NoEvents=mvappend(if('<<FIELD>>'=0, "<<FIELD>>", null()),NoEvents)]
| where isnotnull(NoEvents)
| fields _time NoEvents
| mvexpand NoEvents
| streamstats time_window=24h count as 24hcount by NoEvents
| where '24hcount'=24
| rex field=NoEvents "(?<host>[^\|]+)\|(?<field1>[^\|]+)\|(?<field2>[^\|]+)\||(?<field3>[^\|]+)\||(?<field4>[^\e]+)"
| fields - NoEvents 24hcount

If this comment/answer was helpful, please up vote it. Thank you.

vwilson3 · ‎06-19-2020

Thanks, dmarling. I will give these a try.

boz_8058 · ‎06-17-2020

Save the search as an alert and then set the trigger to only send an email if the results are equal to 0.

vwilson3 · ‎06-19-2020

Thanks, boz_8058. I am trying this now.

Email Report Only When No Results

count

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?