Trigger alert for stats query when events are null

santiagn · ‎09-11-2017

Hello,

scheduling an alert to notify me what my current license usage is and I can't get it to trigger since the events return null but rather show a statistic row. How can I get my alert to trigger when events are null?

here is my query:

 | rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | join type=outer stack_id [rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used max(stack_quota) as total | eval usedGB=round(used/1024/1024/1024,4)  | appendcols [| stats count AS tnow | eval tnow = now() | eval timenow=strftime(tnow,"%H%M") | eval useMAX=((timenow/2400)*100)] | convert num(useMAX) as IntMax  | eval license_stats=if('usedGB' >= 'IntMax', "WARNING", "GOOD") | fields usedGB, license_stats, IntMax

santiagn · ‎09-19-2017

bump i still cant figure out how to trigger alert for a statistics query please help

santiagn · ‎10-03-2017

bumping this

somesoni2 · ‎09-11-2017

Give this a try

| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | join type=outer stack_id [rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used max(stack_quota) as total | eval usedGB=round(used/1024/1024/1024,4)  | appendcols [| gentimes start=-1 | eval tnow = now() | table tnow | eval timenow=strftime(tnow,"%H%M") | eval useMAX=((timenow/2400)*100)] | convert num(useMAX) as IntMax  | eval license_stats=if('usedGB' >= 'IntMax', "WARNING", "GOOD") | fields usedGB, license_stats, IntMax

santiagn · ‎09-11-2017

events still are null and stats return same. i setthe trigger to run when number of results does not equal 0, still did not trigger

somesoni2 · ‎09-11-2017

Ok. I may have misunderstand the requirement here. When you say events are null means which fields are null/not returned?

santiagn · ‎09-11-2017

sorry i did a bad job explaining. so with my query it returns my usedGB for the day under the "statistics" tab but under the "events" tab " no events found" is shown. im trying to trigger an alert to show me the statistics data but it wont trigger because the "events" tab returns null

somesoni2 · ‎09-11-2017

Because your usedGB is coming from a join subsearch, the events for that will not be shown. What's the trigger condition you're using right now?

santiagn · ‎09-11-2017

i see and i tried all of the trigger conditions lol but right now its set to number of results = 0

somesoni2 · ‎09-11-2017

So basically you want to trigger alert if you get any records with license_stats="WARNING", correct? If yes, then add following to end of your search and set the alert condition to "if number of events are greater than 0".

your current search | where license_stats="WARNING"

santiagn · ‎09-11-2017

ok so then, how do i set thetrigger condition if the "events" tab is still null

Trigger alert for stats query when events are null

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor