Finding zero events gives a result of 1

pwesterbeek · ‎07-25-2016

I have the following search :

index=cust_prod sourcetype=cust_export Result="Failure" | stats count as fail

This search is running daily at 7:00 AM and has to generate an alert when an event for Result=”Failure” is found for the last 24 hours. No event is found and still the alert is fired.

Search job inspector gives the following message:
“This search has completed and has returned 1 result by scanning 0 events in 0.369seconds.”
What is going on here?

Jarohnimo · ‎07-25-2016

Yes in splunk there 500 ways to screw in a light bulb and if you pick the wrong way or don't check your code correctly, the lightbulb won't work, or it will give you a false reading. I've been using splunk for 1.5 years now and i'm learning more and more, go back, recheck and make your code even NEATER! there's always a few extra things you can do to make your search a little faster or easier for people to read/ understand.

sundareshr · ‎07-25-2016

It depends how you've set up the trigger for your alert. if you set it up as count>0, then this will always fire because, there will always be one row for count. What you can do is add a where to the end, like this

index=cust_prod sourcetype=cust_export Result="Failure" | stats count as fail | where count>0

somesoni2 · ‎07-25-2016

OR get rid of stats altogether, just use the base search

pwesterbeek · ‎07-26-2016

Thanks for your quick reply. I will try your solution. Using this search in a dashboard (with trafficlight) is working well.

Btw the trigger is : If number of events is greater than 0

So it is a strange thing dat zero events gives a result of one.

Finding zero events gives a result of 1

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!