Solved: How to make an alert if a result doesn't match?

danielgp89 · ‎04-07-2017

Hello, I need your help!!!

I want to make an alert if a search doesn't accomplish a certain result!

Example:

index=mf MFSOURCETYPE=SYSLOG SYSLOGSYSTEMNAME=PLB1 OR PLB2 OR PLB3 OR PLB4 |stats count by SYSLOGSYSTEMNAME if that search doesn't bring me PLB1, PLB2, PLB3, PLB4 then alert me!

How can I make the search? I think I need to use the eval and if.

woodcock · ‎04-07-2017

In the Save As Alert dialog, in the Trigger Conditions area, set the Trigger alert when value to Number of Results and Is equal to and 0.

View solution in original post

woodcock · ‎04-07-2017

In the Save As Alert dialog, in the Trigger Conditions area, set the Trigger alert when value to Number of Results and Is equal to and 0.

danielgp89 · ‎04-18-2017

Thanks for the help woodcock!

How to make an alert if a result doesn't match?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to make an alert if a result doesn't match?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem