Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Email Report Only When No Results

vwilson3
Path Finder
‎06-17-2020 06:40 AM

Greetings,

I have a search string for the event and have been asked to figure out how to create a report that only emails if there were none of the events in a 24 hour period, looking back 35 days.

index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888"
| table _time host field1 field2 field3 field4

Thanks in advance for any suggestions!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

boz_8058
Explorer
‎06-17-2020 07:26 AM

Save the search as an alert and then set the trigger to only send an email if the results are equal to 0.

View solution in original post

Reply
Solved! Jump to solution

dmarling
Builder
‎06-17-2020 07:52 AM

I'm not 100% on your requirements.  If you just want to alert when a there are zero events for anything that falls into the below query in a 24 hour period you can do it easily with this:

earliest=-35d@d latest=@d index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888"
| append 
    [ makeresults count=1]
| timechart span=1d count(host) as count
| where count=0

 That will alert you if there is a single day with no events with that query.  The append with makeresults ensures you never get "no results" back from the query.  If you need it to be a rolling 24 hour period you can do it with this:

earliest=-35d@d latest=@d index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888"
| append 
    [ makeresults count=1]
| timechart span=1h count(host) as count
| streamstats sum(count) as 24hcount time_window=24h
| where '24hcount'=0

If you need something more complicated where you need it so any combination of fields in your table are not seen in a day you can do that with this:

index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888"
| eval ClownCar=host."|".field1."|".field2."|".field3."|".field4
| append 
    [ makeresults count=1]
| timechart span=1d limit=0 count(host) as count by ClownCar
| foreach *
    [eval NoEvents=mvappend(if('<<FIELD>>'=0, "<<FIELD>>", null()),NoEvents)]
| where isnotnull(NoEvents)
| fields _time NoEvents
| mvexpand NoEvents
| rex field=NoEvents "(?<host>[^\|]+)\|(?<field1>[^\|]+)\|(?<field2>[^\|]+)\||(?<field3>[^\|]+)\||(?<field4>[^\e]+)"
| fields - NoEvents

If you need that by a rolling 24 hour period you can do that with this:

index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888"
| eval ClownCar=host."|".field1."|".field2."|".field3."|".field4
| append 
    [ makeresults count=1]
| timechart span=1h limit=0 count(host) as count by ClownCar
| foreach *
    [eval NoEvents=mvappend(if('<<FIELD>>'=0, "<<FIELD>>", null()),NoEvents)]
| where isnotnull(NoEvents)
| fields _time NoEvents
| mvexpand NoEvents
| streamstats time_window=24h count as 24hcount by NoEvents
| where '24hcount'=24
| rex field=NoEvents "(?<host>[^\|]+)\|(?<field1>[^\|]+)\|(?<field2>[^\|]+)\||(?<field3>[^\|]+)\||(?<field4>[^\e]+)"
| fields - NoEvents 24hcount
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Solved! Jump to solution

vwilson3
Path Finder
‎06-19-2020 05:41 AM

Thanks, dmarling.  I will give these a try.  

0 Karma
Reply
Solved! Jump to solution
Solution

boz_8058
Explorer
‎06-17-2020 07:26 AM

Save the search as an alert and then set the trigger to only send an email if the results are equal to 0.

Reply
Solved! Jump to solution

vwilson3
Path Finder
‎06-19-2020 05:39 AM

Thanks, boz_8058.  I am trying this now.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...