Alerting

How to create a Splunk alert when a file size is below 10 bytes from a log file?

Vin
Engager

I'm trying to write a Splunk query to find out a file size below 10 bytes from a log file. I have the index and log location but unable to find the exact query. Please help me out in a writing a query and creating an alert out of it. 

Labels (1)
Tags (1)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @Vin  You could try this. Restrict the timerange to the window that you want to check the log file size.

index=_internal sourcetype=splunkd Metrics host="<your_host>"  group=per_source_thruput series="<your_log_path_or_name>" | stats sum(kb) as total_kbytes | where (total_kbytes*1000) < 10

 

0 Karma

Vin
Engager

Thanks Venkatasri..But I need to pull the size using file name *.imp extension from the logs. How to add the file name .imp in the query and get the output? 

0 Karma

Vin
Engager

This is the query I tried and got zero results. From the file.log, I need to search for .imp files which are below 10 bytes and give us the output. 

index="servers"  source="/opt/apps/log.root/file.log"  |  stats sum(kb) as total_kbytes | where (total_kbytes*1000) < 10

0 Karma

venkatasri
SplunkTrust
SplunkTrust

How is file.log contents look like? redact the ip's username etc before posting. Paste few sample events.

0 Karma

Vin
Engager

It's the regular java server output log. Sorry I cannot post them. In file.log, we need to look for Name: CONFIRM.LLPC2345.imp     Path: /opt/apps/log.root/file.log/

If the .imp file is less than 10 bytes then we need to get an alert.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

java server log doesn't have bytes related to .imp file so Splunk can not find that to Alert.

Splunk can only query the data exist in logs .

0 Karma

Vin
Engager

I think I conveyed the scenario wrongly. So on the Linux server we have the log location opt/apps/file.log. From the file.log we need to look for name which have  .imp extension and which are below 10 bytes. Hope I didn’t confuse you this time.

0 Karma

Vin
Engager

@venkatasri Hope you got my requirement? Any suggestions on how to write the query? Please advise.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

if the event doesn't have the bytes associated to the file splunk can not provide that detail.

for example if the event is,

file: temp.txt, 45 bytes, created today, file closed.

Then in this scenario that contains knowledge about file temp.txt of size 45 bytes and it's closed. Then Splunk can retrieve and Alert/report etc can be created.

What we need to retrieve in this case bytes must exist in 'events' / _raw data.

Hope this clarifies.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

series="*.imp" might work , you have to find out what else been included here. There could be other files with same name. 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...