I have the following search :
index=cust_prod sourcetype=cust_export Result="Failure" | stats count as fail
This search is running daily at 7:00 AM and has to generate an alert when an event for Result=”Failure” is found for the last 24 hours. No event is found and still the alert is fired.
Search job inspector gives the following message:
“This search has completed and has returned 1 result by scanning 0 events in 0.369seconds.”
What is going on here?
Yes in splunk there 500 ways to screw in a light bulb and if you pick the wrong way or don't check your code correctly, the lightbulb won't work, or it will give you a false reading. I've been using splunk for 1.5 years now and i'm learning more and more, go back, recheck and make your code even NEATER! there's always a few extra things you can do to make your search a little faster or easier for people to read/ understand.
It depends how you've set up the trigger for your alert. if you set it up as count>0, then this will always fire because, there will always be one row for count. What you can do is add a where
to the end, like this
index=cust_prod sourcetype=cust_export Result="Failure" | stats count as fail | where count>0
OR get rid of stats altogether, just use the base search
Thanks for your quick reply. I will try your solution. Using this search in a dashboard (with trafficlight) is working well.
Btw the trigger is : If number of events is greater than 0
So it is a strange thing dat zero events gives a result of one.