Solved: Re: How to send an alert when search count is 0

rajs115 · ‎11-10-2021

Hi,

I am looking for a solution to check the splunk query results . if it returns '0' events i need to trigger an alert. Please provide a query to check when count value is zero.

Thanks.

gcusello · ‎11-11-2021

Hi @rajs115,

you have two ways to do this:

defini with the Time Picker the time period of one hour for your search and then save the search as an alert, in this way the time period is associated to your search;
otherwise you can insert the following condition in your search:

sourcetype="logs" earliest=-1h latest=now

I hint to follow the Search Tutorial at https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial that explain hot to search in Splunk.

Ciao.

Giuseppe

View solution in original post

rajs115 · ‎11-10-2021

one more thing that, i need to run this query for every 1 hour. If count is '0' for the last one hour of the search i need to send alert

gcusello · ‎11-10-2021

Hi @rajs115,

when you say "count=0" are you meaning that you haven't any result to your search or that you want to test e.g. a list of hosts and identyfy the ones with no events?

If the first, you have to create an alert with your search and set the condition "count=0" in the Alert conditions.

If instead, the second, you have to create a list of hosts to check in a lookup (called e.g. "perimeter.csv" containing at least one field ("host") and then run a search like this:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

rajs115 · ‎11-11-2021

Hi @gcusello ,

Yes, its the solution as you mentioned. I am running a basic query to look for the events over the last 1 hour of time and when the count is '0' i have to send an alert. Below query i am running. Can you please check if its right? Also, how to mention time period in last 1 hour in my search query?

sourcetype="logs" | stats count | where count=0

Thanks.

gcusello · ‎11-11-2021

Hi @rajs115,

your search is larger than what you need, you could simply run:

sourcetype="logs"

and put the condition results=0 in the alert.

Only one note: use always the condition index=your_index in your searches, because searchjes are quicker and otherwise you risk not using some indexes out of the default path.

Ciao.

Giuseppe

rajs115 · ‎11-11-2021

@gcusello ,

How can i add time in my query for the time (last 1 hour) ?

Thanks.

gcusello · ‎11-11-2021

Hi @rajs115,

you have two ways to do this:

defini with the Time Picker the time period of one hour for your search and then save the search as an alert, in this way the time period is associated to your search;
otherwise you can insert the following condition in your search:

sourcetype="logs" earliest=-1h latest=now

I hint to follow the Search Tutorial at https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial that explain hot to search in Splunk.

Ciao.

Giuseppe

How to send an alert when search count is 0

count

lookup

timechart

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk