Solved: Want to set up alert for No data found.

kamal_jagga · ‎07-27-2015

Hi,

The data coming in to my indexer is intermittent. So i want to set up an alert when no data is coming.

Kindly advise.

kamal_jagga · ‎08-03-2015

Wrote this search to solve this issue:

index=*cricket*|dedup team|table team| lookup playerslist player AS team OUTPUT player AS playermatch | where playermatch!="matched"

kamal_jagga · ‎08-03-2015

Wrote this search to solve this issue:

index=*cricket*|dedup team|table team| lookup playerslist player AS team OUTPUT player AS playermatch | where playermatch!="matched"

somesoni2 · ‎07-27-2015

Find a suitable query to identify the data is coming to your indexer from the host. An example query could be like this

index=yourIndex sourcetype=yoursourcetype host=yourhost | head 1

Run the search for suitable timerange as per your threshold (like if you want to configure an alert if no data has come for 60 mins, use timerange as last 60 mins) and saved the search as alert. See more details here http://docs.splunk.com/Documentation/Splunk/6.2.4/Alert/Setupalertactions#Configure_email_notificati...

kamal_jagga · ‎07-28-2015

Thanks. This works in a search. but when i am saving it as an alert. i am not getting anything.

I want it to alert when the events found=0.

Want to set up alert for No data found.