I'm trying to write a Splunk query to find out a file size below 10 bytes from a log file. I have the index and log location but unable to find the exact query. Please help me out in a writing a query and creating an alert out of it.
 
		
		
		
		
		
	
			
		
		
			
					
		Hi @Vin You could try this. Restrict the timerange to the window that you want to check the log file size.
index=_internal sourcetype=splunkd Metrics host="<your_host>"  group=per_source_thruput series="<your_log_path_or_name>" | stats sum(kb) as total_kbytes | where (total_kbytes*1000) < 10
Thanks Venkatasri..But I need to pull the size using file name *.imp extension from the logs. How to add the file name .imp in the query and get the output?
This is the query I tried and got zero results. From the file.log, I need to search for .imp files which are below 10 bytes and give us the output.
index="servers" source="/opt/apps/log.root/file.log" | stats sum(kb) as total_kbytes | where (total_kbytes*1000) < 10
 
		
		
		
		
		
	
			
		
		
			
					
		How is file.log contents look like? redact the ip's username etc before posting. Paste few sample events.
It's the regular java server output log. Sorry I cannot post them. In file.log, we need to look for Name: CONFIRM.LLPC2345.imp Path: /opt/apps/log.root/file.log/
If the .imp file is less than 10 bytes then we need to get an alert.
 
		
		
		
		
		
	
			
		
		
			
					
		java server log doesn't have bytes related to .imp file so Splunk can not find that to Alert.
Splunk can only query the data exist in logs .
I think I conveyed the scenario wrongly. So on the Linux server we have the log location opt/apps/file.log. From the file.log we need to look for name which have .imp extension and which are below 10 bytes. Hope I didn’t confuse you this time.
@venkatasri Hope you got my requirement? Any suggestions on how to write the query? Please advise.
 
		
		
		
		
		
	
			
		
		
			
					
		if the event doesn't have the bytes associated to the file splunk can not provide that detail.
for example if the event is,
file: temp.txt, 45 bytes, created today, file closed.
Then in this scenario that contains knowledge about file temp.txt of size 45 bytes and it's closed. Then Splunk can retrieve and Alert/report etc can be created.
What we need to retrieve in this case bytes must exist in 'events' / _raw data.
Hope this clarifies.
 
		
		
		
		
		
	
			
		
		
			
					
		series="*.imp" might work , you have to find out what else been included here. There could be other files with same name.
