Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Email Report Only When No Results

vwilson3
Path Finder
‎06-17-2020 06:40 AM

Greetings,

I have a search string for the event and have been asked to figure out how to create a report that only emails if there were none of the events in a 24 hour period, looking back 35 days.

index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888"
| table _time host field1 field2 field3 field4

Thanks in advance for any suggestions!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

boz_8058
Explorer
‎06-17-2020 07:26 AM

Save the search as an alert and then set the trigger to only send an email if the results are equal to 0.

View solution in original post

Reply
Solved! Jump to solution

dmarling
Builder
‎06-17-2020 07:52 AM

I'm not 100% on your requirements.  If you just want to alert when a there are zero events for anything that falls into the below query in a 24 hour period you can do it easily with this:

earliest=-35d@d latest=@d index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888"
| append 
    [ makeresults count=1]
| timechart span=1d count(host) as count
| where count=0

 That will alert you if there is a single day with no events with that query.  The append with makeresults ensures you never get "no results" back from the query.  If you need it to be a rolling 24 hour period you can do it with this:

earliest=-35d@d latest=@d index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888"
| append 
    [ makeresults count=1]
| timechart span=1h count(host) as count
| streamstats sum(count) as 24hcount time_window=24h
| where '24hcount'=0

If you need something more complicated where you need it so any combination of fields in your table are not seen in a day you can do that with this:

index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888"
| eval ClownCar=host."|".field1."|".field2."|".field3."|".field4
| append 
    [ makeresults count=1]
| timechart span=1d limit=0 count(host) as count by ClownCar
| foreach *
    [eval NoEvents=mvappend(if('<<FIELD>>'=0, "<<FIELD>>", null()),NoEvents)]
| where isnotnull(NoEvents)
| fields _time NoEvents
| mvexpand NoEvents
| rex field=NoEvents "(?<host>[^\|]+)\|(?<field1>[^\|]+)\|(?<field2>[^\|]+)\||(?<field3>[^\|]+)\||(?<field4>[^\e]+)"
| fields - NoEvents

If you need that by a rolling 24 hour period you can do that with this:

index=myindex tag::host=DDD field1="AA" field2="9" field3="GGGG" field4="888"
| eval ClownCar=host."|".field1."|".field2."|".field3."|".field4
| append 
    [ makeresults count=1]
| timechart span=1h limit=0 count(host) as count by ClownCar
| foreach *
    [eval NoEvents=mvappend(if('<<FIELD>>'=0, "<<FIELD>>", null()),NoEvents)]
| where isnotnull(NoEvents)
| fields _time NoEvents
| mvexpand NoEvents
| streamstats time_window=24h count as 24hcount by NoEvents
| where '24hcount'=24
| rex field=NoEvents "(?<host>[^\|]+)\|(?<field1>[^\|]+)\|(?<field2>[^\|]+)\||(?<field3>[^\|]+)\||(?<field4>[^\e]+)"
| fields - NoEvents 24hcount
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Solved! Jump to solution

vwilson3
Path Finder
‎06-19-2020 05:41 AM

Thanks, dmarling.  I will give these a try.  

0 Karma
Reply
Solved! Jump to solution
Solution

boz_8058
Explorer
‎06-17-2020 07:26 AM

Save the search as an alert and then set the trigger to only send an email if the results are equal to 0.

Reply
Solved! Jump to solution

vwilson3
Path Finder
‎06-19-2020 05:39 AM

Thanks, boz_8058.  I am trying this now.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...