Dynamic alert creation for TSM backup failures

rchittip · ‎10-15-2019

We are monitoring a folder which has multiple ~100 files. Each file is with single line of backup status. I have indexed all the files into splunk. Each line represent below is coming from different source.

10/08/2019 23:00:00,,INC1111,SERVER1,Missed
10/08/2019 22:00:00,,INC2210,SERVER2,Missed
10/08/2019 21:00:00,10/08/2019 21:00:40,INCR2100,SERVER3,Failed 12
10/08/2019 22:00:00,,INC2200,SERVER4,Missed
10/08/2019 21:00:00,10/08/2019 21:00:40,INCR2100,SERVER5,Failed 12
10/08/2019 21:00:00,,INC2100,SERVER6,Missed
10/08/2019 21:00:00,,INC2100,SERVER7,Missed
10/08/2019 21:00:00,10/08/2019 21:00:40,INCR2100,SERVER8,Failed 12
10/08/2019 21:00:00,,INC2100,SERVER9,Missed
10/08/2019 21:00:00,,INC2100,SERVER10,Missed
10/08/2019 20:00:00,10/08/2019 20:05:02,INCR2000,SERVER11,Failed 12

Requirement is to create an individual alert for each line here. Can this be possible with any dynamic query. I can create alert in bulk but that is not the soluation we are looking for.

Is there is any possiblity to create a dynamic alert for each entry above from different files.

Thanks,
Ramu Chittiprolu

richgalloway · ‎10-15-2019

Different sources should not be a problem in creating an alert. Please explain what should trigger the alert. What is to be "dynamic" about the alert?

---
If this reply helps you, Karma would be appreciated.

Dynamic alert creation for TSM backup failures

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases