topic Re: Notification when file is missing in Splunk Search

How can I send a notification when file is missing?

appsik — Mon, 29 May 2023 16:02:13 GMT

Hello dear community,

I am new here and hope for warm support.

The following problem I have to solve: I have several files and if a document is missing, should be sent a notification with the reference to this file.

Example:
File12324.txt
File21111.txt
Filefdfdf.txt
(naming without pattern)
If next day File21111.txt is missing, email goes out with content "..." + File21111.txt + "..."

Thanks for the advice

Re: Notification when file is missing

gcusello — Sat, 27 May 2023 14:52:41 GMT

Hi @appsik,

you should put the filenames to check in a lookup (called e.g. filenames.csv) containing at least a field called "filename".

Then you should run a simple search like the following:

If you have problems to extract the filename field from your logs, I can help you but you should share some sample of your logs.

Ciao.

Giuseppe

Re: Notification when file is missing

appsik — Sat, 27 May 2023 15:32:22 GMT

Hi @gcusello

Thanks for the quick reply!
I am not allowed to create a new file. It is only 2-3 files. Later I can catch it with regex

What I think:

index=o sourcetyp=txt source="*\file1.txt" OR "*\file2.txt" OR "*\file3.txt" // if possible | stats sum(source) AS total BY fileName - stats dc(source) as fileCount // if file2.txt is missing | where total != 0

-> alert trigger, I need name of "file2.txt" to send by email

Sorry, I am absolute beginner here

Re: Notification when file is missing

gcusello — Sun, 28 May 2023 08:58:02 GMT

Hi @appsik,

if you cannot creat a lookup (check this because it's strange!) and you have to check only few files, please try this:

Ciao.

Giuseppe

Re: Notification when file is missing

appsik — Sun, 28 May 2023 17:17:46 GMT

@gcusello

I would like to better understand the background processes and have installed Splunk on my Windows machine.
I am now wondering how to get from my home: C:\Program Files\Splunk
Access any file via search console:

I created index:

I created the following files:
C:\Program Files\Splunk\worldcities.csv
C:\Program Files\Splunk\worldcities1.csv
C:\Program Files\Splunk\worldcities2.csv

In the search console

index=my_index sourcetype="csv" source="worldcities.csv" | stats dc(source) as fileCount

And I have fileCount: 0, so the file does not exist

Re: Notification when file is missing

PickleRick — Sun, 28 May 2023 20:22:24 GMT

It doesn't work that way. Splunk doesn't simply process any files you throw into its directory.

See the introduction here: https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/WhatSplunkcanmonitor

Re: Notification when file is missing

appsik — Sun, 28 May 2023 20:27:11 GMT

Hallo @PickleRick

I have already uploaded my files: file1.csv, file2.csv, file3.csv as described here: https://community.splunk.com/t5/Getting-Data-In/How-to-index-a-CSV-file-from-a-local-machine/m-p/232138

Re: Notification when file is missing

gcusello — Mon, 29 May 2023 05:26:12 GMT

Hi @appsik,

did you configured the input ro read and index these files?

It isn't suffient to create the index and run the search, you have to:

ingest the sources,
parse them, choosing a correct sourcetype (in your case csv or a custom one),
and then index them,
at this point you can search them in the created index

For more infos see https://docs.splunk.com/Documentation/SplunkCloud/8.0.1/Data/Getstartedwithgettingdatain

there are also many videos in the Splunk YouTube Channel that describe this process: https://www.youtube.com/@Splunkofficial

Ciao.

Giuseppe

Re: Notification when file is missing

PickleRick — Mon, 29 May 2023 07:07:50 GMT

OK. If you uploaded the file via GUI, as described in that article, it should be _somewhere_. Question is what sourcetype did you give it and whether it got properly timestamped and such.

Since it's - as I understand - your small testing installation, verify where your events are.

| tstats min(_time) as earliest max(_time) as latest count where index=* by index source sourcetype
| convert ctime(earliest) as earliest ctime(latest) as latest

Run this search over "all time" time range.

Re: Notification when file is missing

appsik — Mon, 29 May 2023 09:26:37 GMT

@PickleRick Thank you, now I understand how the assignment works

We have a folder in production where it automatically looks, so I thought Splunk automatically looked in the home folder. That was a misunderstanding.

Re: Notification when file is missing

appsik — Mon, 29 May 2023 10:18:09 GMT

Hi @gcusello

Many thanks for your help!

Method with lookup table:
I have created and uploaded a table:

I have assigned FileA.csv, FileB.csv, FileC.csv to my_index

"FileD.csv" is missing in my_index and should be send by email.

What am I doing wrong?

Re: Notification when file is missing

gcusello — Mon, 29 May 2023 10:22:27 GMT

Hi @appsik ,

there's a difference in the filename field extracted from the index and the one in the lookup.

run the search without the last row and see if there are differences.

Please, share results and code in text mode (using the "Insert/Edit Code sample" button) instead as a screenshot, so I can use it.

Ciao.

Giuseppe

Re: Notification when file is missing

appsik — Mon, 29 May 2023 10:36:13 GMT

@gcusello unfortunately I do not see any differences

Re: Notification when file is missing

gcusello — Mon, 29 May 2023 11:57:12 GMT

Hi @appsik,

also uppercase and lowercase?

could you share the results of the search without the last row?

Ciao.

Giuseppe

Re: Notification when file is missing

appsik — Mon, 29 May 2023 12:26:23 GMT

@gcusello

After run this:

I see:

Re: Notification when file is missing

gcusello — Mon, 29 May 2023 12:49:07 GMT

Hi @appsik ,

which results if you run only the first two rows?

index=my_index | stats count BY Filename

If you haven't any result the problem is the main search.

Ciao.

Giuseppe

Re: Notification when file is missing

appsik — Mon, 29 May 2023 12:55:03 GMT

@gcusello

I see: 3 events

but no results

Thank you for your time!

Re: Notification when file is missing

gcusello — Mon, 29 May 2023 12:58:54 GMT

Hi @appsik ,

this means that you have three events but yu haven't the field Filename.

If you run only the main search (first row) in Verbose Mode, have you this field in Interesting fields?

probably not, so try to run this:

Ciao.

Giuseppe

Re: Notification when file is missing

appsik — Mon, 29 May 2023 13:32:10 GMT

@gcusello

>this means that you have three events but yu haven't the field Filename.

>If you run only the main search (first row) in Verbose Mode, have you this field in Interesting fields?

>probably not

Thank you, I understood that

Now please return to my task

if I run:

I see:

I don't understand what this (second line) line is for. | rex field=source "(?<Filename>\w+\.csv)$"
Is it possible without RegEx?

Re: Notification when file is missing

gcusello — Mon, 29 May 2023 13:39:35 GMT

Hi @appsik,

in the second raw I extract the filename from the source using a regex.

Anyway, regex is the only way to extract a parte or the source field.

If you don't know very well regexes I hint to use some time to learn this because regexes are very usegul in Splunk.

Ciao.

Giuseppe