Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my alert not triggered even though there are results that meet the criteria?

kotig
Path Finder
‎11-02-2016 08:46 AM

Hi All,

We have a search which checks for a total count of failures in system in the last 24 hours:

index=mydata earliest=-24h| stats list(Summary) as "Summary", count(Summary) as SummaryCount

when a specific failures occur, the SummaryCount has a value of 1 or more than one.

Based on that we have created an alert to trigger with custom trigger condition:
search SummaryCount>=1 and AlertType =Scheduled and is scheduled to run every day, one time at 1 am.
and the Action Options, set was "Once"

Every time we run our search we get a result, so i was expecting there will be 1 alert everyday until the SummaryCount value is returned. But i got the alert only on 1 day and later it does not send any alert emails.

Can you please help? This is really urgent.

Thanks
Koti

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kotig
Path Finder
‎11-03-2016 09:09 AM

Thank you, appreciate your help on trying to help me. My alert is fixed now. I had a false alarm. Thanks everyone for your inputs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kotig
Path Finder
‎11-03-2016 09:09 AM

Thank you, appreciate your help on trying to help me. My alert is fixed now. I had a false alarm. Thanks everyone for your inputs.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎11-02-2016 04:27 PM

I suggest that you should simply use the normal trigger condition of Number of Results > 0
Your custom search for the alert is broken in a couple of ways:

  • and must be capitalized as AND in searches if you want a boolean comparison.
  • Your search does not yield a field named AlertType

What this means is that your custom search will never return anything - so your alert will not fire.
As far as I can tell, you don't need a custom search for your alert at all. Change your settings as
suggested in the first paragraph and see what happens.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-02-2016 09:18 AM

How about you update your alert like this and try.

Search: index=mydata earliest=-24h| stats list(Summary) as "Summary", count(Summary) as SummaryCount | wher SummaryCount>0

Time Range: -1d@d to @d
Alert Type: Scheduled, Cron: 0 1 * * *
Alert condition: If number of events greater than 0
Action Options: Once

0 Karma
Reply
Solved! Jump to solution

kotig
Path Finder
‎11-02-2016 10:50 AM

Sure thank you will try that option.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-02-2016 09:13 AM

Did you run the query for days you didn't get alert and found results matching your trigger condition?

0 Karma
Reply
Solved! Jump to solution

kotig
Path Finder
‎11-02-2016 09:15 AM

Yes, i am getting value for the day it did not trigger.

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...