Alerting

How to create a Splunk alert when a file size is below 10 bytes from a log file?

Vin
Engager

I'm trying to write a Splunk query to find out a file size below 10 bytes from a log file. I have the index and log location but unable to find the exact query. Please help me out in a writing a query and creating an alert out of it. 

Labels (1)
Tags (1)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @Vin  You could try this. Restrict the timerange to the window that you want to check the log file size.

index=_internal sourcetype=splunkd Metrics host="<your_host>"  group=per_source_thruput series="<your_log_path_or_name>" | stats sum(kb) as total_kbytes | where (total_kbytes*1000) < 10

 

0 Karma

Vin
Engager

Thanks Venkatasri..But I need to pull the size using file name *.imp extension from the logs. How to add the file name .imp in the query and get the output? 

0 Karma

Vin
Engager

This is the query I tried and got zero results. From the file.log, I need to search for .imp files which are below 10 bytes and give us the output. 

index="servers"  source="/opt/apps/log.root/file.log"  |  stats sum(kb) as total_kbytes | where (total_kbytes*1000) < 10

0 Karma

venkatasri
SplunkTrust
SplunkTrust

How is file.log contents look like? redact the ip's username etc before posting. Paste few sample events.

0 Karma

Vin
Engager

It's the regular java server output log. Sorry I cannot post them. In file.log, we need to look for Name: CONFIRM.LLPC2345.imp     Path: /opt/apps/log.root/file.log/

If the .imp file is less than 10 bytes then we need to get an alert.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

java server log doesn't have bytes related to .imp file so Splunk can not find that to Alert.

Splunk can only query the data exist in logs .

0 Karma

Vin
Engager

I think I conveyed the scenario wrongly. So on the Linux server we have the log location opt/apps/file.log. From the file.log we need to look for name which have  .imp extension and which are below 10 bytes. Hope I didn’t confuse you this time.

0 Karma

Vin
Engager

@venkatasri Hope you got my requirement? Any suggestions on how to write the query? Please advise.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

if the event doesn't have the bytes associated to the file splunk can not provide that detail.

for example if the event is,

file: temp.txt, 45 bytes, created today, file closed.

Then in this scenario that contains knowledge about file temp.txt of size 45 bytes and it's closed. Then Splunk can retrieve and Alert/report etc can be created.

What we need to retrieve in this case bytes must exist in 'events' / _raw data.

Hope this clarifies.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

series="*.imp" might work , you have to find out what else been included here. There could be other files with same name. 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...