topic Splunk Trigger alert no transaction inside log file from the directory? in Splunk Search

Splunk Trigger alert no transaction inside log file from the directory?

karthi2809 — Thu, 26 Apr 2018 07:18:17 GMT

I have two directory having two log files

Directory:

/logs/Test1/
/logs/Test2/

The directory have two log files:

Logs:
error.log
systemout.log

Have to trigger alert for the directory and logs have no transaction for 10 min

Re: Splunk Trigger alert no transaction inside log file from the directory?

kmaron — Thu, 26 Apr 2018 12:37:21 GMT

Try this:

| stats count 
| eval source="/logs/Test1/error.log, /logs/Test1/systemout.log, /logs/Test2/error.log, /logs/Test2/systemout.log"
| makemv delim="," source 
| mvexpand source 
| append 
    [ search ... whatever search you would use to find these transactions from these files that includes the source] 
| stats sum(eval(if(isnull(_time),0,1))) as count by source
| where count < 1

Then set your alert to look back 10 minutes and trigger condition to Number of Results > 0

Re: Splunk Trigger alert no transaction inside log file from the directory?

p_gurav — Thu, 26 Apr 2018 13:28:01 GMT

Can you try this:

|metadata type=sources | eval since=now()-lastTime | search since>=600 | search source="*error.log*" OR source="*systemout.log*"