Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alerting for zero events

peter_gianusso
Communicator
‎10-16-2012 08:45 AM

we want a search to execute every 20 minutes that looks at the past 20 minutes and ensures that events have been written to the log file by host.

This search returns no results.
sourcetype="PROD_PSI_HR_UNISYS_RTENGINE_DBG" | timechart count span=20m by host | where count=0

When I remove the "by host", the search below only works for a search for the past 4 hours but when I change it to 60 minutes, it stops returning results. It definitely doesn't work for the past 20 minutes.

sourcetype="PROD_PSI_HR_UNISYS_RTENGINE_DBG" | timechart count span=20m | where count=0

Any ideas?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-16-2012 08:54 AM

If a host has no events, it will not be listed at all.

To proceed, you have to save a static list of the hosts, by example in a lookup file or a csv file. (See outputlookup, outputcsv, inputlookup, inputcsv)
and use this lookup as a | JOIN type=outer host to populate the other results, then the missing hosts will be displayed.
see http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Join

here is an example with csv.
to generate the list once a week over all the week events :

earliest=-1w@w latest=@w | dedup host | stats count AS lastweek by host | outputcsv lastweekhostlist.csv

to use this list with last hour event list

earliest=-1h latest=now | dedup host | stats count AS today by host | JOIN type=outer host [ | inputcsv lastweekhostlist.csv ] | fillnull value=0 today lastweek | where lastweek>0 AND today=0

FYI, we use the dedup host to keep only 1 event per hosts to be faster, but you could remove it and use the actual count of events.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎10-16-2012 09:07 AM

actually the timechart by host will return a table like :
timestamp host1 host2 host3
therefore there is not count columns to filter on.

try to replace by
| bucket _time span=20m | stats count by _time host
that will return a table like
timestamp count host

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-16-2012 08:54 AM

If a host has no events, it will not be listed at all.

To proceed, you have to save a static list of the hosts, by example in a lookup file or a csv file. (See outputlookup, outputcsv, inputlookup, inputcsv)
and use this lookup as a | JOIN type=outer host to populate the other results, then the missing hosts will be displayed.
see http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Join

here is an example with csv.
to generate the list once a week over all the week events :

earliest=-1w@w latest=@w | dedup host | stats count AS lastweek by host | outputcsv lastweekhostlist.csv

to use this list with last hour event list

earliest=-1h latest=now | dedup host | stats count AS today by host | JOIN type=outer host [ | inputcsv lastweekhostlist.csv ] | fillnull value=0 today lastweek | where lastweek>0 AND today=0

FYI, we use the dedup host to keep only 1 event per hosts to be faster, but you could remove it and use the actual count of events.

0 Karma
Reply
Solved! Jump to solution

peter_gianusso
Communicator
‎10-16-2012 08:56 AM

sorry...lets forget the hosts problem...it's really the query sourcetype="PROD_PSI_HR_UNISYS_RTENGINE_DBG" | timechart count span=20m | where count=0 that's the problem

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...