I'm trying to write a Splunk query to find out a file size below 10 bytes from a log file. I have the index and log location but unable to find the exact query. Please help me out in a writing a query and creating an alert out of it.
Hi @Vin You could try this. Restrict the timerange to the window that you want to check the log file size.
index=_internal sourcetype=splunkd Metrics host="<your_host>" group=per_source_thruput series="<your_log_path_or_name>" | stats sum(kb) as total_kbytes | where (total_kbytes*1000) < 10
This is the query I tried and got zero results. From the file.log, I need to search for .imp files which are below 10 bytes and give us the output.
index="servers" source="/opt/apps/log.root/file.log" | stats sum(kb) as total_kbytes | where (total_kbytes*1000) < 10
It's the regular java server output log. Sorry I cannot post them. In file.log, we need to look for Name: CONFIRM.LLPC2345.imp Path: /opt/apps/log.root/file.log/
If the .imp file is less than 10 bytes then we need to get an alert.
I think I conveyed the scenario wrongly. So on the Linux server we have the log location opt/apps/file.log. From the file.log we need to look for name which have .imp extension and which are below 10 bytes. Hope I didn’t confuse you this time.
if the event doesn't have the bytes associated to the file splunk can not provide that detail.
for example if the event is,
file: temp.txt, 45 bytes, created today, file closed.
Then in this scenario that contains knowledge about file temp.txt of size 45 bytes and it's closed. Then Splunk can retrieve and Alert/report etc can be created.
What we need to retrieve in this case bytes must exist in 'events' / _raw data.
Hope this clarifies.