Trigger alert for stats query when events are null

santiagn · ‎09-11-2017

Hello,

scheduling an alert to notify me what my current license usage is and I can't get it to trigger since the events return null but rather show a statistic row. How can I get my alert to trigger when events are null?

here is my query:

 | rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | join type=outer stack_id [rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used max(stack_quota) as total | eval usedGB=round(used/1024/1024/1024,4)  | appendcols [| stats count AS tnow | eval tnow = now() | eval timenow=strftime(tnow,"%H%M") | eval useMAX=((timenow/2400)*100)] | convert num(useMAX) as IntMax  | eval license_stats=if('usedGB' >= 'IntMax', "WARNING", "GOOD") | fields usedGB, license_stats, IntMax

santiagn · ‎09-19-2017

bump i still cant figure out how to trigger alert for a statistics query please help

santiagn · ‎10-03-2017

bumping this

somesoni2 · ‎09-11-2017

Give this a try

| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | join type=outer stack_id [rest splunk_server=local /services/licenser/stacks | eval stack_id=title | eval stack_quota=quota | fields stack_id stack_quota] | stats sum(used_bytes) as used max(stack_quota) as total | eval usedGB=round(used/1024/1024/1024,4)  | appendcols [| gentimes start=-1 | eval tnow = now() | table tnow | eval timenow=strftime(tnow,"%H%M") | eval useMAX=((timenow/2400)*100)] | convert num(useMAX) as IntMax  | eval license_stats=if('usedGB' >= 'IntMax', "WARNING", "GOOD") | fields usedGB, license_stats, IntMax

santiagn · ‎09-11-2017

events still are null and stats return same. i setthe trigger to run when number of results does not equal 0, still did not trigger

somesoni2 · ‎09-11-2017

Ok. I may have misunderstand the requirement here. When you say events are null means which fields are null/not returned?

santiagn · ‎09-11-2017

sorry i did a bad job explaining. so with my query it returns my usedGB for the day under the "statistics" tab but under the "events" tab " no events found" is shown. im trying to trigger an alert to show me the statistics data but it wont trigger because the "events" tab returns null

somesoni2 · ‎09-11-2017

Because your usedGB is coming from a join subsearch, the events for that will not be shown. What's the trigger condition you're using right now?

santiagn · ‎09-11-2017

i see and i tried all of the trigger conditions lol but right now its set to number of results = 0

somesoni2 · ‎09-11-2017

So basically you want to trigger alert if you get any records with license_stats="WARNING", correct? If yes, then add following to end of your search and set the alert condition to "if number of events are greater than 0".

your current search | where license_stats="WARNING"

santiagn · ‎09-11-2017

ok so then, how do i set thetrigger condition if the "events" tab is still null

Trigger alert for stats query when events are null

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life