I wanted to create an email alert when no data is tranfered to splunk, so by 0 results. But the search by alert always fails. The status always shows failed instead of done and I have no idea why. That might be the problem why I don't get any email alert.
You are going to laugh at this (at least I did when it bit me). You have your search set to digest_mode
= false/0
which from the GUI shows Trigger
as Once for each result
. How many results do you have when your search has 0 results? Exactly. So change digest_mode
= true/1
which from the GUI shows Trigger
as Once
.
Hi!
Can you add more details?
Query that you are using, alert configuration, ...