topic Re: Alert On Non Update Of A File in Alerting

Alert On Non Update Of A File

itsomana — Wed, 18 Jan 2012 15:49:19 GMT

I have a linux file that I would like Splunk to index. There will be a Saved Search configured for this file on a dashboard as a traffic light. If in the event the file is not update after 10 minutes the traffic will go from green to red.

What is be best way to configure this

Re: Alert On Non Update Of A File

lguinn2 — Thu, 19 Jan 2012 06:52:11 GMT

| metadata type=sources | search source=yoursourcefilename | eval checkTime = relative_time(now(), "-10m") | 
fields + source recentTime checkTime | eval LastEventReceived = strftime(recentTime, "%F %r") |
eval TenMinutesAgo = strftime(checkTime, "%F %r")

Save this as an alert (in 4.3, choose "Create Alert"). In your custom search condition, put

where checkTime > recentTime

The search computes checkTime as the epoch time as of 10 minutes ago. The metadata command returns recentTime as the most recent time that an event was indexed from the source. And yes, there is no search here - the first character is really a |

Alternately, you could use lastTime instead of recentTime. See more about this choice in the Search Reference manual entry for the metadata command.

Re: Alert On Non Update Of A File

itsomana — Fri, 27 Jan 2012 15:24:58 GMT

Do you know is possible to put the above saved search onto a dashboard and if 10 minutes elapses then it will go from green to red?

Re: Alert On Non Update Of A File

lguinn2 — Sun, 29 Jan 2012 10:30:23 GMT

Maybe, but you need to decide
(1) What value, exactly, do you want to display on the dashboard?
(2) What visualization do you want to use? A single value panel?
(3) Do you want the dashboard to auto-refresh? How often?
After you decide these things, you will probably have some significant XML to write...