Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Alert on file age

diegosainz
Path Finder
‎12-04-2013 08:26 AM

I would like to know if it is possible to be alerted if a file is older then a specific time frame. We have files that are written down every 5 minutes. I would like to be alerted if the age of the file is in excess of 7 minutes.

Any input would be appreciated.

0 Karma
Reply
Highlighted

Re: Alert on file age

aholzer
Motivator
‎12-04-2013 08:35 AM

You probably want something that checks _time vs _indexedtime.

... | eval diff = _indexedtime - _time | where diff > 5*60*1000

0 Karma
Reply
Highlighted

Re: Alert on file age

somesoni2
SplunkTrust
SplunkTrust
‎12-04-2013 08:37 AM

Try following:

|metadata type=sources index=* | eval age=now()-recentTime | where age>420

This lists all the sources (files indexed in Splunk) which were last accessed 420 sec (7 min) ago. You can setup alert when this search returns rows.

0 Karma
Reply