Im trying to create an alert that will work like a directory monitor.
Essentially, I want to alert if FIle A is not received by 6 A.M. How can I search on an item that DOES NOT equal a certain time range. That's the only way I can think to do this.
Im having trouble determining how to write this in search. 1 P.M is greater than 6 A.M but the number itself is less than 6 AM and will show up.
The acceptable times of files receipt are from 12:00 A.M to 6:00 A.M
Here is an example of the event
2015-04-12 17:39:35 1X8.160.1X5.100 - baphlthpdf [416052]dele /reports/14673-P581_Stmt_P581MC12.TXT_TBR0OOU4M.zip - 250 - - - 22
host = exptldsftp01 source = D:\FTP Server settings\Logs\ex150412.log sourcetype = comm_globalscape
Any help will be greatly appreciated.
Since you already have the log events, create an alert and use cron scheduling to run the alert check at the end of the acceptable time frame and use a search term like earliest=-6h to say "only look for this log event in the past six hours". Set the alert condition for when no matching events occur and you'll get an alert when you want.
Thanks guys, you are probably right. We do have directory monitor applications but we are fleshing out what Splunk can and cant do well. Doesn't Splunk have separate directory monitoring capabilities?
Hi.. if I understood your requirement right, the main purpose of the alert is to let you know that a file has not arrived in a directory before certain time. Correct? Ideally it's preferable to do this outside splunk. A sitescope monitor or something similar. Why use splunk for this kind of alert? Splunk alerting will be fully dependent on what happens after splunk picks it up and processes it.
That being said, for this kind of alert you may want to see if anything got indexed between 6:00 AM and midnight for the day and alert you on it. Eg:
index=your_index earliest=@d latest=now host=exptldsftp01 source="D:FTP Server settingsLogsex150412.log" |convert timeformat="%H" ctime(_indextime) AS idxTime |eval myTime = tonumber(idxTime)|where myTime > 6
If you run something like above to see is any events got indexed from 7 AM (you can tweak the above timing as needed)... you can schedule this search per you scheduling needs and always look for any data that is getting indexed when you are not supposed to be receiving data from that source and alert email you if any results are found.
I meant :
index=your_index earliest=@d latest=now host=exptldsftp01 source="D:FTP Server settingsLogsex150412.log" |convert timeformat="%H" ctime(_indextime) AS idxTime |eval myTime = tonumber(idxTime)|where myTime > 6
looks like code sample messed up ">"
Since you already have the log events, create an alert and use cron scheduling to run the alert check at the end of the acceptable time frame and use a search term like earliest=-6h to say "only look for this log event in the past six hours". Set the alert condition for when no matching events occur and you'll get an alert when you want.
Have you considered simply using military time instead of AM/PM? The hours would simply be 00 through 23; where 00 is midnight, and 23 is 11pm.
Hope this helps