topic Re: Log File Monitoring in Monitoring Splunk

Log File Monitoring

itsomana — Tue, 29 May 2012 14:51:51 GMT

Hi,

I am running the following saved search every 10 minutes which will send an email if *xception is found in the filenetlistener.log file. The email contains the alert along with a csv file which outlines the number of severities.

host=itp-srv-03 index=app sourcetype=filenetlistener source="D:\EAI\axis-jms\logs\listener.log" | search *xception | stats count | rangemap field=count low=0-0 default=severe

Do you know is it possible for Splunk to include in the email the listener log file or an extract of the listener log showing the exception?

Thanks in advance.

Re: Log File Monitoring

lguinn2 — Tue, 29 May 2012 18:25:23 GMT

I would suggest this search instead

host=itp-srv-03 index=app sourcetype=filenetlistener source="D:\EAI\axis-jms\logs\listener.log" *xception

In your alert, set the condition to "if number of events is greater than 0" and select the option to include the results in the email. Splunk will include all the matching events as part of the alert.

BTW, Splunk search is case-insensitive, so if you are searching for "Exception" or "exception" you can simply write it as

host=itp-srv-03 index=app sourcetype=filenetlistener source="D:\EAI\axis-jms\logs\listener.log" exception

and Splunk will find it regardless of capitalization.

Re: Log File Monitoring

itsomana — Wed, 30 May 2012 14:25:09 GMT

Many thanks for you reply. I am not sure if this will work for me as I need the stats count so I can display the saved search on the dashboard. This is green when when zero events of *xception are not found.

I already have set the condition set to alert if the number of events is greater than zero. When one event is found this turns the dashboard to red.