Hi Team,
We have multiple log files which will be regularly getting updated and the same will be ingested into Splunk. For example as mentioned in below query when i search the data for last 15 mintues i can see "n" number of events would be getting ingested for each and every minute and sometimes there would be multiple events in a single minute as well. So suppose if i search the specific (index=abc host="efg" machinedata OR xxxx-) query & doesnt have any events for the next 3 minutes then it should trigger an email alert to the concerned team.
Search query look like as below:
index=abc host="efg" machinedata OR xxxx-
Events return after search would be as below:
2020-06-19 05:15:53,083 INFO xxxx- splunk machinedata - Content Type : text/plain; charset=us-ascii xxxxxxx-xxxxx-xxxxx
2020-06-19 05:15:53,083 INFO xxxx- splunk machinedata - Body type: .net.lang.String xxxxx-xxxx-xxxxxxx
2020-06-19 05:15:52,881 DEBUG xxxx- splunk machinedata - [AccessMessage]: Matched: xxxx-xxxx-xxxx-xxxxx
2020-06-19 05:15:52,881 DEBUG xxxx- splunk machinedata - [abc (accept)]: Subject: [sample] abc def ijk XXXXXXXXXX
So kindly help with the query so that if there are no new events for last 3 minutes then it needs to trigger an email.
Hi @anandhalagaras1 ,
you have to use your search in alert, scheduled every 3 minutes (cron */3 * * * *) where the trigger condition is "Number of results is equal to 0".
Ciao.
Giuseppe
You could use your SPL as is and:
BR
edit: @gcusello was quicker 🙂
thank you for your swift response.😀
Hi @anandhalagaras1 ,
you have to use your search in alert, scheduled every 3 minutes (cron */3 * * * *) where the trigger condition is "Number of results is equal to 0".
Ciao.
Giuseppe
thank you.