i want to get an email when no result comes for a specific query. But, whenever some problem occurs in Splunk, unfortunately i am getting an email.
Could you please help me to fix this issue?
still i amfacing this issue
Could anyone please help me in this issue
still waiting for the result
Could anyone please help...
we are still facing the issue
Try setting custom alerts which will trigger only when results are zero. In the alert actions tab.
where that present?
Okay, you would receive an email if there is an infrastructural issue with Splunk due to which searching and indexing operations get impacted. That is how it works, You might have to use this for better validity :
| eval delay = _indextime - _time
If there is a delay in indexing and the search results are triggering due to that, you can avoid those by using the above command in your search.
can i use this query directly in the alert?
basic search | table host
how to modify this query with your example
Could you please provide an update
i am still facing for the response
Tweak the query as stated. It would help, there is not fixed answer for this as the query is different w.r.t. data ingested.
like this...????
basic search | table host | eval delay = _indextime - _time
Hi @logloganathan,
May be you can try to modify your query and have the trigger condition as when the count=0 and you don't have a "splunk restart" message in _internal index
Thank you!
Hi Mousumi,
Thanks for your response
Could you please provide example query
Thanks
Loganathan
it trigger the alert when the table less than 1
but whenever splunk not getting any data, it triggering the false alert
when the table result is less than 1 means, you are checking if the result event count is 0.
and whenever splunk not getting any data, means, the result is also zero.. and that should trigger the alert, right. how you say that its a false alert?!?!
yes you are correct, it is due to splunk issue.some time splunk restart happen then i am getting these alert
so, pls try to adjust your query so that it will create a known number of results.. and when that known number of result is not coming, you can trigger an alert.
@logloganathan what is your current query for Alert and what is your Alert Trigger condition?
Also please explain some problem occurs
as to what kind of problem/s?
Hi Nikenilay,
thanks for your response!!
i used very simple
index=ABC source=XYZ "somefindinfcommand" | stats count by source _time
it trigger the alert when the table less than 1
but whenever splunk not getting any data, it triggering the false alert
Hi @logloganathan,
Could you give us some more context for this problem? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.
Thanks for posting!