The easy way is to set empty-state and use count much like you did this overrides the default which is "ok" when nothing is found.
Nothing found:
check_eventlog scan-range=24h "filter=id=1008 and written < 24h" warn=none "crit=count=0" empty-state=critical
L cli CRITICAL: CRITICAL: No entries found
L cli Performance data: 'count'=0;0;0
Something found:
check_eventlog scan-range=24h "filter=id=1008 and written < 24h" warn=none "crit=count=0" empty-state=critical
L cli OK: OK: Event log seems fine
L cli Performance data: 'count'=12;0;0
You might wanna clean up the syntax a bit using:
Like so:
Something found:
check_eventlog scan-range=24h "filter=id=1008 and written < 24h" warn=none "crit=count=0" empty-state=critical show-all "empty-syntax=Nooooohhhh"
L cli CRITICAL: Nooooohhhh
L cli Performance data: 'count'=0;0;0
Nothing found:
check_eventlog scan-range=24h "filter=id=1008 and written < 24h" warn=none "crit=count=0" empty-state=critical show-all
L cli OK: OK: 12 message(s) .....)
L cli Performance data: 'count'=12;0;0
Please also note that event-id is NOT globally unique, instead they are unique per source so using only event id will most likely not work as expected if another application (source) happens to use the same event id...
P.S. This was tested on 0.5.1 not 0.5.0 but should in theory work on 0.5.0 as well...
