Splunk Search

How to create a search that will trigger an alert when the count is zero?

sravankaripe
Communicator

I want to trigger an alert when the count is zero. please help me with the alert search?

0 Karma
1 Solution

btiggemann
Path Finder

You can use something like that:

sourcetype="Linux:Service" |stats count by field1 field2 field3  |where count<=0

Then you set the alert condition to "if number of result is more than 0" and an alarm is triggered.

You can extend this if you use something like this:

sourcetype="Linux:Service" |stats count by field1 field2 field3| eval event_alert=case(count >= 1, "OK",  count <= 0, "ALERT")
  | search event_alert="ALERT" 

View solution in original post

gcusello
Esteemed Legend

Hi,
You should create a lookup containing all the values of the field to monitor (e.g. Host) and then run a search like this

| inputlookup mylookup.csv | eval count=0, myfield=upper(myfield) | append [ search mysearch | stata count by myfield ] | stata sum(count) as total | where total=0

In this way you have all the values of your lookup that don't have any result.

You also could add rangemap at the end of your search and show results in a graphic panel (see Splunk 6.0 Dashboard Examples App).

Bye.
Giuseppe

0 Karma

niketn
Legend

You can set the Count to 0 if no result found i.e. Count is null:

your base search yourField=* | stats count(yourField) as Count | eval Count=if(isnull(Count),0,Count) | table Count

Then set the Trigger Condition as Number of Results -> is equal to -> 0

For the same search as above you can also set Count to -1 in case you do not get any results, just to identify whether the count is actually 0 or null. Then set the Trigger Condition as Number of Results -> is less than ** -> **1

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

btiggemann
Path Finder

You can use something like that:

sourcetype="Linux:Service" |stats count by field1 field2 field3  |where count<=0

Then you set the alert condition to "if number of result is more than 0" and an alarm is triggered.

You can extend this if you use something like this:

sourcetype="Linux:Service" |stats count by field1 field2 field3| eval event_alert=case(count >= 1, "OK",  count <= 0, "ALERT")
  | search event_alert="ALERT" 

jakeoftrades
Explorer

hi, will it also satisfy the condition if for 3 counts which will trigger the alert by this ?

|where count<=03

 I wonder in my case that I need to set a query that will trigger an alert which is (3 consecutive occurrence) in 

 the logs within a specific time period like (7am-8pm) . what query should I add up. thanks 

0 Karma

somesoni2
Revered Legend

Just run your search and select "If number of result is less than 0" as alert condition.

0 Karma

sravankaripe
Communicator

i want to display some fields if count less than one or no event occurs

0 Karma

somesoni2
Revered Legend

The count here is a field OR just the count of events (count of events can't be less than 0)? Could you provide a sample query/data/expected output? If you want to alert based on a field value (say field name is count), then you can use "Custom" as trigger condition and provide your condition.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...