Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why my alerts are sending email if the search result is zero?

maximusdm
Communicator
‎05-16-2017 08:54 AM

I have set up a bunch of alerts to run every 5min with a time range of the last 15min.
Every 5 min I get an email from the alert but when I run the search query it returns me ZERO events.
I did specified to only send emails of results > 0.
So I dont know why this is happening. Here is a screen shot of the email I receive showing (1) event !!??!? why?
Thanks

alt text

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-16-2017 09:08 AM

Try to update the alert to show the events inline and/or csv attachment in the email (select appropriate checkboxes in 'Alert Action' dialog). This way you'd see what Splunk is seeing to trigger alert.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎05-16-2017 07:09 PM

Since your question is resolved, please accept somesoni2's comment/answer that led to the resolution.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-16-2017 09:08 AM

Try to update the alert to show the events inline and/or csv attachment in the email (select appropriate checkboxes in 'Alert Action' dialog). This way you'd see what Splunk is seeing to trigger alert.

0 Karma
Reply
Solved! Jump to solution

maximusdm
Communicator
‎05-16-2017 09:39 AM

oh I see...if you look at my query it returns the results into a variable called "Occurences" . So even though results returned me ZERO, this option is counting that as a 1 event. Really? that is strange.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-16-2017 09:50 AM

I didn't look at that. The stats count would give you a result with value of count as 0 if there are no rows. What you should do it to add a where clause in the query itself (e.g. ..| where Occurrences>0 ) to check for count and then change the alert condition to trigger 'when number of events are greater than 0'.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-16-2017 10:08 AM

As far as your base search is returning events stats count will give default result as 0. Which implies that your alert will always be fired is the Trigger Conditions is Number of Results>0. As @somesoni2 mentioned, you either need to add final pipe as| search Occurences>0 to your alert search or else change your Alert Trigger conditions to Custom instead of Number of Results and then set the Custom alert condition as | search Occurences>0

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-16-2017 10:12 AM

If you wish to show the trigger condition in your alert email, I would go with @niketnilay's suggestion of using custom trigger condition.

0 Karma
Reply
Solved! Jump to solution

maximusdm
Communicator
‎05-16-2017 02:59 PM

yeah that is what I did: search Occurences > xx
but by following your suggestion somesoni2 it pointed me out to the answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...