Splunk Search

How to create a search that will trigger an alert when the count is zero?

Path Finder

I want to trigger an alert when the count is zero. please help me with the alert search?

0 Karma
1 Solution

Path Finder

You can use something like that:

sourcetype="Linux:Service" |stats count by field1 field2 field3  |where count<=0

Then you set the alert condition to "if number of result is more than 0" and an alarm is triggered.

You can extend this if you use something like this:

sourcetype="Linux:Service" |stats count by field1 field2 field3| eval event_alert=case(count >= 1, "OK",  count <= 0, "ALERT")
  | search event_alert="ALERT" 

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi,
You should create a lookup containing all the values of the field to monitor (e.g. Host) and then run a search like this

| inputlookup mylookup.csv | eval count=0, myfield=upper(myfield) | append [ search mysearch | stata count by myfield ] | stata sum(count) as total | where total=0

In this way you have all the values of your lookup that don't have any result.

You also could add rangemap at the end of your search and show results in a graphic panel (see Splunk 6.0 Dashboard Examples App).

Bye.
Giuseppe

0 Karma

Legend

You can set the Count to 0 if no result found i.e. Count is null:

your base search yourField=* | stats count(yourField) as Count | eval Count=if(isnull(Count),0,Count) | table Count

Then set the Trigger Condition as Number of Results -> is equal to -> 0

For the same search as above you can also set Count to -1 in case you do not get any results, just to identify whether the count is actually 0 or null. Then set the Trigger Condition as Number of Results -> is less than ** -> **1

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

You can use something like that:

sourcetype="Linux:Service" |stats count by field1 field2 field3  |where count<=0

Then you set the alert condition to "if number of result is more than 0" and an alarm is triggered.

You can extend this if you use something like this:

sourcetype="Linux:Service" |stats count by field1 field2 field3| eval event_alert=case(count >= 1, "OK",  count <= 0, "ALERT")
  | search event_alert="ALERT" 

View solution in original post

0 Karma

Revered Legend

Just run your search and select "If number of result is less than 0" as alert condition.

0 Karma

Path Finder

i want to display some fields if count less than one or no event occurs

0 Karma

Revered Legend

The count here is a field OR just the count of events (count of events can't be less than 0)? Could you provide a sample query/data/expected output? If you want to alert based on a field value (say field name is count), then you can use "Custom" as trigger condition and provide your condition.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!