I want to trigger an alert when the count is zero. please help me with the alert search?
You can use something like that:
sourcetype="Linux:Service" |stats count by field1 field2 field3 |where count<=0
Then you set the alert condition to "if number of result is more than 0" and an alarm is triggered.
You can extend this if you use something like this:
sourcetype="Linux:Service" |stats count by field1 field2 field3| eval event_alert=case(count >= 1, "OK", count <= 0, "ALERT")
| search event_alert="ALERT"
Hi,
You should create a lookup containing all the values of the field to monitor (e.g. Host) and then run a search like this
| inputlookup mylookup.csv | eval count=0, myfield=upper(myfield) | append [ search mysearch | stata count by myfield ] | stata sum(count) as total | where total=0
In this way you have all the values of your lookup that don't have any result.
You also could add rangemap at the end of your search and show results in a graphic panel (see Splunk 6.0 Dashboard Examples App).
Bye.
Giuseppe
You can set the Count to 0 if no result found i.e. Count is null:
your base search yourField=* | stats count(yourField) as Count | eval Count=if(isnull(Count),0,Count) | table Count
Then set the Trigger Condition as Number of Results -> is equal to -> 0
For the same search as above you can also set Count to -1 in case you do not get any results, just to identify whether the count is actually 0 or null. Then set the Trigger Condition as Number of Results -> is less than ** -> **1
You can use something like that:
sourcetype="Linux:Service" |stats count by field1 field2 field3 |where count<=0
Then you set the alert condition to "if number of result is more than 0" and an alarm is triggered.
You can extend this if you use something like this:
sourcetype="Linux:Service" |stats count by field1 field2 field3| eval event_alert=case(count >= 1, "OK", count <= 0, "ALERT")
| search event_alert="ALERT"
hi, will it also satisfy the condition if for 3 counts which will trigger the alert by this ?
|where count<=03
I wonder in my case that I need to set a query that will trigger an alert which is (3 consecutive occurrence) in
the logs within a specific time period like (7am-8pm) . what query should I add up. thanks
Just run your search and select "If number of result is less than 0" as alert condition.
i want to display some fields if count less than one or no event occurs
The count here is a field OR just the count of events (count of events can't be less than 0)? Could you provide a sample query/data/expected output? If you want to alert based on a field value (say field name is count), then you can use "Custom" as trigger condition and provide your condition.