Reporting

Script for a scheduled report not called if there are no results

artvolk
Engager

My goal is to create some CloudWatch metrics from Splunk reports that run periodically. So I've created a report, scheduled it to be run every N minutes, send e-mail to me and run a script that will push values to CloudWatch.

The problem: If reports yields no results e-mail notification and script execution is not triggered. Is this behaviour by design or it could be changed with some option?

Thanks!

Update: Please see the comments for the accepted answer for the workarounds.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

This is by design. Both the email and script execution are form of alert trigged, so you don't want to get alerted if there is nothing wrong, correct?

It all depends upon the alert condition, which I believe you've set as "if number of event >0". If you want to have an email sent and script executed regardless of the search result, then choose "always".

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

This is by design. Both the email and script execution are form of alert trigged, so you don't want to get alerted if there is nothing wrong, correct?

It all depends upon the alert condition, which I believe you've set as "if number of event >0". If you want to have an email sent and script executed regardless of the search result, then choose "always".

artvolk
Engager

Yep, for alerts this logic seems to be completely valid, but I'm talking about reports, not alerts.

Another thing: In my Splunk installation for alarms I have only the following options:

  • Number of Results
  • Number of Hosts
  • Number of Sources
  • Custom

There is no "Always" option.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Conceptually both Reports and Alerts are scheduled saved search only. The Splunk has done logical categorization to separate informative report vs actionable reports.

You should be able to see all alert options by going to Settings->Searches, reports, and alerts from top right menu bar.
Let me know the version that you're using in case you don't the options.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Also, another option that would resolve this would be to use the sendemail command at the end of the search, instead of selecting email send option from Report menu. The command will always send an email event though there are no results. See more details here.
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Sendemail

0 Karma

artvolk
Engager

Thanks for pointing me to Settings -> Searches, reports and alerts, I have found the needed option to trigger alert always there. Can you make a answer from this comment, so I will be able to flag it as resolved?

There is another possible workaround: it is possible to append | stats count as Total in the end of the search. So there will be always one row of data.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...