topic Re: Create alert for delayed files every hour in Getting Data In

Create alert for delayed files every hour?

Chinni611 — Thu, 27 Oct 2022 00:16:10 GMT

hi , I have the below query. Index=Config source =“Java/path/ log.csv” inbound

Csv files are supposed to be delivered on a hourly basis before hour past 13 minutes ( eg : file delivered time is 12:12minutes) . I need to create an alert if any of the files are delivered after 13minutes every hour . (12:14 minutes ) - create alert

Re: Create alert for delayed files every hour

bowesmana — Wed, 26 Oct 2022 22:13:01 GMT

So set up the search

index=Config source="Java/path/log.csv" inbound | stats count

save as an alert and set the trigger alert to custom and set the custom string to

search count=0

and set the cron schedule to be 14 * * * * and the time window to be earliest is @h and latest now

Re: Create alert for delayed files every hour

Chinni611 — Wed, 26 Oct 2022 22:24:44 GMT

Hi , thanks for reply . I have 4 hourly files like that and count returns 4 files at each hour I need to alert if anyone of them are getting delayed . So what should be my trigger condition and alert should go every hour past 13 minutes if file is missing .

Re: Create alert for delayed files every hour

bowesmana — Thu, 27 Oct 2022 00:20:50 GMT

Assuming your different log file is in source field, you could do

index=Config source IN (Log1, Log2, Log3, Log4) inbound | stats dc(source) as sources

and then check for sources < 4

of you could do something like this to detect the missing source

index=Config source IN (Log1, Log2, Log3, Log4) inbound | stats values(source) as foundSources dc(source) as sources | where sources<4 | eval requiredSources=split("Log1,Log2,Log3,Log4", ",") | eval missingSources=mvmap(requiredSources, if(isnull(mvfind(foundSources, requiredSources)), requiredSources, null()))

and then just raise the alert with a standard trigger with the count of values greater than zero, as it will now contain the name of the missing source

Re: Create alert for delayed files every hour

Chinni611 — Mon, 31 Oct 2022 00:09:01 GMT

@bowesmana , thanks for your reply

index=Config source IN (Log1, Log2, Log3, Log4) inbound
| stats values(source) as foundSources dc(source) as sources
| where sources<4
| eval requiredSources=split("Log1,Log2,Log3,Log4", ",")
| eval missingSources=mvmap(requiredSources, if(isnull(mvfind(foundSources, requiredSources)), requiredSources, null()))

I need to use Log1*,Log2* wild card entry with eval in required sources to get the missing sources. Can you please help

Re: Create alert for delayed files every hour

bowesmana — Mon, 31 Oct 2022 00:25:36 GMT

mvfind is using a regex, so if you just add the * on the IN search statement

index=Config source IN (Log1*, Log2*, Log3*, Log4*) inbound | stats values(source) as foundSources dc(source) as sources | where sources<4 | eval requiredSources=split("Log1,Log2,Log3,Log4", ",") | eval missingSources=mvmap(requiredSources, if(isnull(mvfind(foundSources, requiredSources)), requiredSources, null()))

the mvfind will be doing the following

mvfind("Log1foundvalue99", "Log1")

which will be true, so should work anyway. Is there something that is not working? If so, please share what you are searching for and the results

Re: Create alert for delayed files every hour

Chinni611 — Mon, 31 Oct 2022 00:46:31 GMT

Missing sources are getting populated based on required sources . They are not showing full log name which uses wildcard

Re: Create alert for delayed files every hour

bowesmana — Mon, 31 Oct 2022 04:13:05 GMT

Please give more detail - SPL/data/results.