Solved: How to make an alert if a result doesn't match?

danielgp89 · ‎04-07-2017

Hello, I need your help!!!

I want to make an alert if a search doesn't accomplish a certain result!

Example:

index=mf MFSOURCETYPE=SYSLOG SYSLOGSYSTEMNAME=PLB1 OR PLB2 OR PLB3 OR PLB4 |stats count by SYSLOGSYSTEMNAME if that search doesn't bring me PLB1, PLB2, PLB3, PLB4 then alert me!

How can I make the search? I think I need to use the eval and if.

woodcock · ‎04-07-2017

In the Save As Alert dialog, in the Trigger Conditions area, set the Trigger alert when value to Number of Results and Is equal to and 0.

View solution in original post

woodcock · ‎04-07-2017

In the Save As Alert dialog, in the Trigger Conditions area, set the Trigger alert when value to Number of Results and Is equal to and 0.

danielgp89 · ‎04-18-2017

Thanks for the help woodcock!

How to make an alert if a result doesn't match?

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How to make an alert if a result doesn't match?

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR