Query : index=_internal sourcetype=scheduler thread_id="AlertNotifier*" "email" | fillnull Sample Log : 12-06-2020 08:05:11.189 +0000 INFO SavedSplunker - savedsearch_id="nobody;search;TimeDelayI...
See more...
Query : index=_internal sourcetype=scheduler thread_id="AlertNotifier*" "email" | fillnull Sample Log : 12-06-2020 08:05:11.189 +0000 INFO SavedSplunker - savedsearch_id="nobody;search;TimeDelayInCiscoEstreamerLogsFromHost-"10.90.78.45"", search_type="", user="abc", app="search", savedsearch_name="TimeDelayInCiscoEstreamerLogsFromHost-"10.90.78.45"", priority=default, status=success, digest_mode=1, scheduled_time=1607241900, window_time=0, dispatch_time=1607241903, run_time=6.113, result_count=2, alert_actions="email", sid="scheduler_dmFybNyaS5hZG1pbkBiY2cuY29t__search__RMD5e388bf8114eaecc6_at_160900_26417_8B358556-EC52-4F41-A194-1A98CFD37560", suppressed=0, thread_id="AlertNotifierWorker-0", workload_pool="" Issue : Actual log has alert_actions="email" value , when checked in selected fields the value is either 0 or empty even after using fillnull. What does this mean? In which scenarios does this occur? My use case is to find out the number of email alerts triggered in the last 24 hours , but few of them are missing in my report because alert_actions is either showing 0 or empty value.