Alerting

How to create a Splunk alert when a file size is below 10 bytes from a log file?

Vin
Engager

I'm trying to write a Splunk query to find out a file size below 10 bytes from a log file. I have the index and log location but unable to find the exact query. Please help me out in a writing a query and creating an alert out of it. 

Labels (1)
Tags (1)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @Vin  You could try this. Restrict the timerange to the window that you want to check the log file size.

index=_internal sourcetype=splunkd Metrics host="<your_host>"  group=per_source_thruput series="<your_log_path_or_name>" | stats sum(kb) as total_kbytes | where (total_kbytes*1000) < 10

 

0 Karma

Vin
Engager

Thanks Venkatasri..But I need to pull the size using file name *.imp extension from the logs. How to add the file name .imp in the query and get the output? 

0 Karma

Vin
Engager

This is the query I tried and got zero results. From the file.log, I need to search for .imp files which are below 10 bytes and give us the output. 

index="servers"  source="/opt/apps/log.root/file.log"  |  stats sum(kb) as total_kbytes | where (total_kbytes*1000) < 10

0 Karma

venkatasri
SplunkTrust
SplunkTrust

How is file.log contents look like? redact the ip's username etc before posting. Paste few sample events.

0 Karma

Vin
Engager

It's the regular java server output log. Sorry I cannot post them. In file.log, we need to look for Name: CONFIRM.LLPC2345.imp     Path: /opt/apps/log.root/file.log/

If the .imp file is less than 10 bytes then we need to get an alert.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

java server log doesn't have bytes related to .imp file so Splunk can not find that to Alert.

Splunk can only query the data exist in logs .

0 Karma

Vin
Engager

I think I conveyed the scenario wrongly. So on the Linux server we have the log location opt/apps/file.log. From the file.log we need to look for name which have  .imp extension and which are below 10 bytes. Hope I didn’t confuse you this time.

0 Karma

Vin
Engager

@venkatasri Hope you got my requirement? Any suggestions on how to write the query? Please advise.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

if the event doesn't have the bytes associated to the file splunk can not provide that detail.

for example if the event is,

file: temp.txt, 45 bytes, created today, file closed.

Then in this scenario that contains knowledge about file temp.txt of size 45 bytes and it's closed. Then Splunk can retrieve and Alert/report etc can be created.

What we need to retrieve in this case bytes must exist in 'events' / _raw data.

Hope this clarifies.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

series="*.imp" might work , you have to find out what else been included here. There could be other files with same name. 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...