Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Finding zero events gives a result of 1

pwesterbeek
Engager
‎07-25-2016 06:36 AM

I have the following search :

index=cust_prod sourcetype=cust_export Result="Failure" | stats count as fail

This search is running daily at 7:00 AM and has to generate an alert when an event for Result=”Failure” is found for the last 24 hours. No event is found and still the alert is fired.

Search job inspector gives the following message:
“This search has completed and has returned 1 result by scanning 0 events in 0.369seconds.”
What is going on here?

Tags (1)
0 Karma
Reply

Jarohnimo
Builder
‎07-25-2016 01:18 PM

Yes in splunk there 500 ways to screw in a light bulb and if you pick the wrong way or don't check your code correctly, the lightbulb won't work, or it will give you a false reading. I've been using splunk for 1.5 years now and i'm learning more and more, go back, recheck and make your code even NEATER! there's always a few extra things you can do to make your search a little faster or easier for people to read/ understand.

0 Karma
Reply

sundareshr
Legend
‎07-25-2016 10:28 AM

It depends how you've set up the trigger for your alert. if you set it up as count>0, then this will always fire because, there will always be one row for count. What you can do is add a where to the end, like this

index=cust_prod sourcetype=cust_export Result="Failure" | stats count as fail | where count>0
Reply

somesoni2
Revered Legend
‎07-25-2016 02:05 PM

OR get rid of stats altogether, just use the base search

Reply

pwesterbeek
Engager
‎07-26-2016 01:01 AM

Thanks for your quick reply. I will try your solution. Using this search in a dashboard (with trafficlight) is working well.

Btw the trigger is : If number of events is greater than 0

So it is a strange thing dat zero events gives a result of one.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...