Reputation: 2568
What search terms should I use when creating alert that is triggered when there are no logs coming from service in Splunk?
I want to trigger an alert when there are no logs coming from our services in Splunk but not sure how to do that.
I can search our logs using this [| inputlookup app | search app=app_name env=prod service=app_name] where app is the csv lookup table with app, env, and service properties that provide lookup values for our search.
One other thing to note is I have access to the sourcetype or the source where
sourcetype=kube:container:app_name_env
source=*k8s_app_name_env_*
But again, not sure what search query I should create the alert based on. I know how to create alerts in splunk but not sure how to trigger it if there are no logs coming from the source above. Any suggestions? Thanks!
Upvotes: 0
Views: 452
Answers (1)
Reputation: 33453
In the Alert actions, have it send a message when there are no results:
Upvotes: 2
Related Questions
- How can we create splunk alerts using config files?
- Splunk: search for “a first log that got printed, but the second was not printed”
- Splunk Alert Creation
- Setting up alerts for metrics in Splunk
- How to write a splunk query to ensure that search is working?
- Splunk Alert on missing log with GUID
- How to make an Alert in Splunk?
- Splunk alert based on the search result value
- Splunk: setting up real time alerts
- Notify upon any serious errors on logs