Alert Action on Zero Results

[saxmanio85]

Hi,

When attempting to trigger the creation of a Jira when there are no results doesn't seem to work. Is there a requirement for Result > 0 for Jira's to create? In the example below, we receive the email, but the Jira does not crreate.

Jiras are creating successfully for Alerts where Results > 0.

Thanks in advance

[guilhemmarchand]

Hi @saxmanio85

well the alert action creates content based on upstream content, so indeed you would not normally in Splunk expect to generate an action based on "nothing" - it's even actually a bit weird that the email action actually triggers something.

On the JIRA action indeed, it is expecting to loop again results, and not nothing.

If your alert is to be triggered on the fact that your upstream search does not return anythong, the right practice is to use an append with makeresults, this is also the case for dashboards for example:

ex:

index=foo | where <my condition> | stats <my data manipulation>
| eval alert_message="foo is with bar and that is bad"
| append [ | makeresults | eval alert_message="no foo, no bar, bad too" ]
| head 1

The "head 1" depends on what you are after.

Also, it is generally a wrong practice and understanding of what Splunk is to have a simple alert that outputs raw events with no manipulation at all (so just "find my events") - not sure if it's the case here, but it's not generally the right thing to do.

[saxmanio85]

Thanks @guilhemmarchand for a super quick response.

Our usecase is as follows:

• Task Scheduler is setup to run a powershell script
• Powershell is writing to the event log the stages of that script
• The is a bug in Task Scheduler that sometimes just fails to run thus no Events are written to the log, or perhaps someone mistakenly disables the job

We were looking to alert on the lack of event log, i.e. 'Alert - This tasks didn't run' as we know we should expect a 'This job started' log and therefore the search would be looking for 'This job started' and finding 0 results.

Hope that makes sense. I guess if this is not the right way to be using Splunk then we'll have to find a different way around this.

[guilhemmarchand]

Yeah I see.

Basically, dealing with the absence of something when it means no logs at all is much more challenging than looking for some conditions.

everything is doable and Splunk is super flexible in every means of way, generally in this type of use cases you would rely on a lookup (CSV based or KVstore) which acts as your input and referential. Then some easy SPL you would maintain a status flag to define that the state is expected or not expected.

Then instead of rendering an alert because you have nothing, you render your alert based on the fact that the status for your entities (which I assume would be hosts in that case for instance) is not the one expected, generally a two steps works, a scheduled logic maintains your referential and your alert renders results from your referential.

But that's my 2 cents and how I would approach it - there are different options and it depends on various factors

[saxmanio85]

Yes, I was thinking of falling back to a lookup if this wasnt possible. We'll have a play with that, thanks so much! I'll close this off.