Why is the alert not been triggered as expected?

POR160893 · ‎01-08-2023

Hi,

I have an alert that is supposed to trigger an email each subsequent day when there are 0 logs in the last 24 hours against a particular search.

However, when there ARE 0 logs in the past 24 hours, my alert does not get triggered for some reason.

My alert is as follows:

Can you please help as I do not understand why this alert is not working as expected?

Many thanks!

richgalloway · ‎01-08-2023

Please share the search itself.

---
If this reply helps you, Karma would be appreciated.

POR160893 · ‎01-08-2023

The search is as follows::
index="corp_security" sourcetype="dns_rpz"

The alert should send an email per day for every subsequent day when there are 0 logs in the last 24 hours

PickleRick · ‎01-08-2023

https://docs.splunk.com/Documentation/Splunk/9.0.3/Alert/AlertTriggerConditions

See the last example

POR160893 · ‎01-08-2023

So I need to add “earliest=0 latest=now | stats count” to mr current query? Would that look at just the data for the last 24 hours though?

Why is the alert not been triggered as expected?

alert action

alert condition

email

throttling

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!