Splunk Search

How to create trigger alert if the count in the dashboard is zero?

prettysunshinez
Explorer

I would want an alert to be triggered and sent to mail if a particular panel has the count=0 in the dashboard

how should we achieve that

pls help

Labels (1)
Tags (3)
0 Karma

prettysunshinez
Explorer

@gcusello  The search of the panel has values parsed from the other panels in the dashbaord.

0 Karma

gcusello
Esteemed Legend

Anyway, the only solution is the one I described:

you have to create one single search and save it as an alert, it isn't possible to create an alert taking parameters from other panels or inputs.

I could add that the concept of alert is to have a rule that automatically checks the conditions and triggers without human intervenes.

You could also add the sendmail command to a panel, but in this way, the mail is sent every time you open the dashboard and I don't think that's acceptable.

Ciao.

Giuseppe

0 Karma

gcusello
Esteemed Legend

Hi @prettysunshinez,

you have only to take the search in the panel and run it in the Search dashboard, then you have to save it as an Alert, adding the other informations: trigger condition (count=0), scheduling, time frame, etc...).

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...