Splunk Search

How to create a search that will trigger an alert when the count is zero?

sravankaripe
Communicator

I want to trigger an alert when the count is zero. please help me with the alert search?

0 Karma
1 Solution

btiggemann
Path Finder

You can use something like that:

sourcetype="Linux:Service" |stats count by field1 field2 field3  |where count<=0

Then you set the alert condition to "if number of result is more than 0" and an alarm is triggered.

You can extend this if you use something like this:

sourcetype="Linux:Service" |stats count by field1 field2 field3| eval event_alert=case(count >= 1, "OK",  count <= 0, "ALERT")
  | search event_alert="ALERT" 

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi,
You should create a lookup containing all the values of the field to monitor (e.g. Host) and then run a search like this

| inputlookup mylookup.csv | eval count=0, myfield=upper(myfield) | append [ search mysearch | stata count by myfield ] | stata sum(count) as total | where total=0

In this way you have all the values of your lookup that don't have any result.

You also could add rangemap at the end of your search and show results in a graphic panel (see Splunk 6.0 Dashboard Examples App).

Bye.
Giuseppe

0 Karma

niketn
Legend

You can set the Count to 0 if no result found i.e. Count is null:

your base search yourField=* | stats count(yourField) as Count | eval Count=if(isnull(Count),0,Count) | table Count

Then set the Trigger Condition as Number of Results -> is equal to -> 0

For the same search as above you can also set Count to -1 in case you do not get any results, just to identify whether the count is actually 0 or null. Then set the Trigger Condition as Number of Results -> is less than ** -> **1

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

btiggemann
Path Finder

You can use something like that:

sourcetype="Linux:Service" |stats count by field1 field2 field3  |where count<=0

Then you set the alert condition to "if number of result is more than 0" and an alarm is triggered.

You can extend this if you use something like this:

sourcetype="Linux:Service" |stats count by field1 field2 field3| eval event_alert=case(count >= 1, "OK",  count <= 0, "ALERT")
  | search event_alert="ALERT" 

jakeoftrades
Explorer

hi, will it also satisfy the condition if for 3 counts which will trigger the alert by this ?

|where count<=03

 I wonder in my case that I need to set a query that will trigger an alert which is (3 consecutive occurrence) in 

 the logs within a specific time period like (7am-8pm) . what query should I add up. thanks 

0 Karma

somesoni2
Revered Legend

Just run your search and select "If number of result is less than 0" as alert condition.

0 Karma

sravankaripe
Communicator

i want to display some fields if count less than one or no event occurs

0 Karma

somesoni2
Revered Legend

The count here is a field OR just the count of events (count of events can't be less than 0)? Could you provide a sample query/data/expected output? If you want to alert based on a field value (say field name is count), then you can use "Custom" as trigger condition and provide your condition.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...