Solved: Alert - Multiple Condition Confusion

chrisboy68 · ‎03-10-2016

Hi, this should be simple, but its making my head hurt.

(index=myindex OR index=_internal) (myfield=*  OR source=*dbx2*) |   search myfield = *  NOT  "Caught exception Splunkd daemon is not responding"

At times, I have ran into issues with the splunkd not responding for DB2. I have the above search in an Alert. It fires when there are 0 rows within 10 minutes (there should always be at least one row in 10 min), but I don't want it to fire if it finds "Caught exception Splunkd daemon is not responding".

I think I'm going about this wrong. How can I make a conditional alert that only fires if 0 rows are returned in the search and does not contain "Caught exception Splunkd daemon is not responding"?

Thanks

Chris

chrisboy68 · ‎03-10-2016

Ok, as expected, I over thought this one. Since the Alert first when the return result is NOT 0, the doing this:
search myfield = * OR "Caught exception Splunkd daemon is not responding"
Works for my Alert (it wont fire if a Splunkd exception is returned).

Sorry,

Chris

View solution in original post

chrisboy68 · ‎03-10-2016

Ok, as expected, I over thought this one. Since the Alert first when the return result is NOT 0, the doing this:
search myfield = * OR "Caught exception Splunkd daemon is not responding"
Works for my Alert (it wont fire if a Splunkd exception is returned).

Sorry,

Chris

richgalloway · ‎03-10-2016

Try this:

(index=myindex OR index=_internal) (myfield=*  OR source=*dbx2*) NOT  "Caught exception Splunkd daemon is not responding"

---
If this reply helps you, Karma would be appreciated.

Alert - Multiple Condition Confusion

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!