Splunk Search

Finding zero events gives a result of 1

pwesterbeek
Engager

I have the following search :

index=cust_prod sourcetype=cust_export Result="Failure" | stats count as fail

This search is running daily at 7:00 AM and has to generate an alert when an event for Result=”Failure” is found for the last 24 hours. No event is found and still the alert is fired.

Search job inspector gives the following message:
“This search has completed and has returned 1 result by scanning 0 events in 0.369seconds.”
What is going on here?

Tags (1)
0 Karma

Jarohnimo
Builder

Yes in splunk there 500 ways to screw in a light bulb and if you pick the wrong way or don't check your code correctly, the lightbulb won't work, or it will give you a false reading. I've been using splunk for 1.5 years now and i'm learning more and more, go back, recheck and make your code even NEATER! there's always a few extra things you can do to make your search a little faster or easier for people to read/ understand.

0 Karma

sundareshr
Legend

It depends how you've set up the trigger for your alert. if you set it up as count>0, then this will always fire because, there will always be one row for count. What you can do is add a where to the end, like this

index=cust_prod sourcetype=cust_export Result="Failure" | stats count as fail | where count>0

somesoni2
SplunkTrust
SplunkTrust

OR get rid of stats altogether, just use the base search

pwesterbeek
Engager

Thanks for your quick reply. I will try your solution. Using this search in a dashboard (with trafficlight) is working well.

Btw the trigger is : If number of events is greater than 0

So it is a strange thing dat zero events gives a result of one.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...