Alerting

Alerting on Files not received in time ranges?

Entus
New Member

Im trying to create an alert that will work like a directory monitor.

Essentially, I want to alert if FIle A is not received by 6 A.M. How can I search on an item that DOES NOT equal a certain time range. That's the only way I can think to do this.

Im having trouble determining how to write this in search. 1 P.M is greater than 6 A.M but the number itself is less than 6 AM and will show up.

The acceptable times of files receipt are from 12:00 A.M to 6:00 A.M

Here is an example of the event

2015-04-12 17:39:35 1X8.160.1X5.100 - baphlthpdf [416052]dele /reports/14673-P581_Stmt_P581MC12.TXT_TBR0OOU4M.zip - 250 - - - 22
host = exptldsftp01 source = D:\FTP Server settings\Logs\ex150412.log sourcetype = comm_globalscape

Any help will be greatly appreciated.

Tags (1)
0 Karma
1 Solution

mmccul
SplunkTrust
SplunkTrust

Since you already have the log events, create an alert and use cron scheduling to run the alert check at the end of the acceptable time frame and use a search term like earliest=-6h to say "only look for this log event in the past six hours". Set the alert condition for when no matching events occur and you'll get an alert when you want.

View solution in original post

0 Karma

Entus
New Member

Thanks guys, you are probably right. We do have directory monitor applications but we are fleshing out what Splunk can and cant do well. Doesn't Splunk have separate directory monitoring capabilities?

0 Karma

Yasaswy
Contributor

Hi.. if I understood your requirement right, the main purpose of the alert is to let you know that a file has not arrived in a directory before certain time. Correct? Ideally it's preferable to do this outside splunk. A sitescope monitor or something similar. Why use splunk for this kind of alert? Splunk alerting will be fully dependent on what happens after splunk picks it up and processes it.

That being said, for this kind of alert you may want to see if anything got indexed between 6:00 AM and midnight for the day and alert you on it. Eg:

index=your_index earliest=@d latest=now host=exptldsftp01 source="D:FTP Server settingsLogsex150412.log" |convert timeformat="%H" ctime(_indextime) AS idxTime |eval myTime = tonumber(idxTime)|where myTime  > 6

If you run something like above to see is any events got indexed from 7 AM (you can tweak the above timing as needed)... you can schedule this search per you scheduling needs and always look for any data that is getting indexed when you are not supposed to be receiving data from that source and alert email you if any results are found.

0 Karma

Yasaswy
Contributor

I meant :
index=your_index earliest=@d latest=now host=exptldsftp01 source="D:FTP Server settingsLogsex150412.log" |convert timeformat="%H" ctime(_indextime) AS idxTime |eval myTime = tonumber(idxTime)|where myTime > 6

looks like code sample messed up ">"

0 Karma

mmccul
SplunkTrust
SplunkTrust

Since you already have the log events, create an alert and use cron scheduling to run the alert check at the end of the acceptable time frame and use a search term like earliest=-6h to say "only look for this log event in the past six hours". Set the alert condition for when no matching events occur and you'll get an alert when you want.

0 Karma

aholzer
Motivator

Have you considered simply using military time instead of AM/PM? The hours would simply be 00 through 23; where 00 is midnight, and 23 is 11pm.

Hope this helps

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...