Re: How do I configure an alert for missing files ...

kpavan · ‎12-03-2018

Hi all,

I need help creating an alert for the difference of 2 directories. Let's say: sender directory has files 4 but receiver directory has 2. Now, I need to configure an alert for 2 missing files with names/details from receiver directory.

Getting the below outputs from each directory on a scheduled basis (1hr), I need to compare 2 directories and get the output for the missing file names and trigger an alert.

Sender Directory
[root] ➤ ls -l
total 0
-rwx------ 1 Users UsersGrp 0 Dec 3 13:16 file1.txt
-rwx------ 1 Users UsersGrp 0 Dec 3 13:16 file2.txt
-rwx------ 1 Users UsersGrp 0 Dec 3 13:16 file3.txt
-rwx------ 1 Users UsersGrp 0 Dec 3 13:16 file4.txt

Receiver Directory
[root] ➤ ls -l
total 0
-rwx------ 1 Users UsersGrp 0 Dec 3 13:16 file1.txt
-rwx------ 1 Users UsersGrp 0 Dec 3 13:16 file2.txt

Please help me with queries to configure alert.

Thanks in advance!

tom_frotscher · ‎12-03-2018

Hi,

as a simple first approach it could be enough to:

set your time range to the last hour an
extract the filename with help of regex if not already done
do a | stats count by filename

The result should always be 2 if every file is present in both directories. If it is not 2, you could trigger your alert.

Greetings

Tom

How do I configure an alert for missing files from different directories?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Join the Conversation