Alerting

Can an alert be based on a search that runs but has no matching events?

klf1242
New Member

Can Splunk alerts be based on a search that runs but has no matching events? Is a match the number of times an event must occur in a given time frame? If that is the case, then could I set Splunk up to alert, if I am expecting an event, and it doesn't happen? Some of my friends in a Splunk class were talking about this, and I was curious what others will say.

Tags (2)
0 Karma

traxxasbreaker
Communicator

Yes.

When you create the alert through the UI, you can set the trigger conditions based on the number of events returned, then it will let you enter a value and indicate whether you want the event count to be greater than, less than, or equal to that value (along with a couple more options).

So if you have that search that is supposed to return an expected number of events and you set the alert to trigger if the event count is either zero or less than some number of events you are expecting, the alert will trigger if you are not getting the right number of events returned.

0 Karma

pkiripolsky
Path Finder

Short answer, yes it can. You can set up an alert to trigger based on the number of results. So you can setup an alert to trigger if number of results returned is 0 or less than some arbitrary number.

You can set this up when you save or edit the alert; it's called the "Trigger Conditions".

0 Karma

elliotproebstel
Champion

Yes, one of the options when configuring an alert is to trigger based on number of results, including the option to trigger when the number of results is 0. Here's a screenshot from my Splunk Enterprise 6.6.2 deployment:
alt text

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...