Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: How to create the below alert?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create the below alert?
I have below source. now I have to create an alert if any source is missing everyday. The file name changes everyday as it starts with a timestamp i.e. in this case we have "060418_1002" which will change everyday. Help me on the same.
Cant use lookup to compare as file name changes because it starts with a timestamp.
Below are the sample sources.
/logs/web/output/accm/060418_1002_CAP_sat1svmap504_cert_details.log
/logs/web/output/accm/060418_1003_CAP_sat1svmap504_cert_details.log
/logs/web/output/accm/060818_0300_CAP_dfw1svpap505_cert_details.log
/logs/web/output/accm/060818_0300_CAP_sat1svmap536_cert_details.log
/logs/web/output/accm/060818_0300_PROD_dfw1svpap505_cert_details.log
/logs/web/output/sc/060418_1105_PROD_dfw1svpap621_cert_details.log
/logs/web/output/sc/060418_1106_PSP1_dfw1svpap621_cert_details.log
/logs/web/output/sc/060818_0230_UAT1_sat1svmap628_cert_details.log
/logs/web/output/sc/060818_0230_UAT1_sat1svmap629_cert_details.log
/logs/web/output/smartauction2.0/052518_1530_CAP1_sat1svmap660_cert_details.log
/logs/web/output/smartauction2.0/052518_1530_PRD1_sat1svmap660_cert_details.log
/logs/web/output/smartauction2.0/052518_1530_PSP1_dfw1svpap661_cert_details.log
/logs/web/output/smartauction2.0/052518_1530_PSP1_sat1svmap660_cert_details.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to understand your question better and for example
/logs/web/output/accm/060418_1002_CAP_sat1svmap504_cert_details.log
from this source ONLY this part (060418_1002_) is dynamic and changes , should events from this source be logged for the day, right?
Hint - If my understanding is true /logs/web/output/accm/CAP_sat1svmap504_cert_details.log - with
(060418_1002_CAP) removed, the remaining part for this source always remains constant?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, correct.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After seeing the below answer and your comment I am more confused now,
to me the first 2 rows are from the same source but the third row is a different source, is that correct? If so this is what you need to do -
1- Use the substr function to eliminate the dynamic parts from all the source entries, let us call this field src.
2- |eventstats max(_time) as last_time by src.
3- extract the date time part from now() and the same from last_time. now() gives you today's datetime. if the extracted date times are not equal to each other, your respective src did not have any entries today.
4-I suspect though, you actualy may want to check not for today but for yesterday (assuming the source can log anytime on any given day till 11:59 PM), in that case you just need to subtract 1 day each from now() and last_time before extracting the date times to make a comparision
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sukisen,
For more clarification, Below is the sources for one host for last two days.
For 12 June:
/logs/web/output/accm/061218_0300_CAP_dfw1svpap505_cert_details.log
/logs/web/output/accm/061218_0300_CAP_sat1svmap535_cert_details.log
/logs/web/output/accm/061218_0300_CAP_sat1svmap536_cert_details.log
/logs/web/output/accm/061218_0300_PROD_dfw1svpap505_cert_details.log
/logs/web/output/accm/061218_0300_PROD_dfw1svpap506_cert_details.log
/logs/web/output/accm/061218_0300_PROD_dfw1svpap507_cert_details.log
/logs/web/output/accm/061218_0300_PROD_sat1svmap535_cert_details.log
/logs/web/output/accm/061218_0300_PROD_sat1svmap536_cert_details.log
/logs/web/output/accm/061218_0300_PROD_sat1svmap537_cert_details.log
/logs/web/output/accm/061218_0300_PROD_sat1svmap538_cert_details.log
/logs/web/output/accm/061218_0300_UAT_dfw1svpap505_cert_details.log
/logs/web/output/accm/061218_0300_UAT_dfw1svpap506_cert_details.log
/logs/web/output/accm/061218_0300_UAT_dfw1svpap507_cert_details.log
/logs/web/output/accm/061218_0300_UAT_sat1svmap535_cert_details.log
/logs/web/output/accm/061218_0300_UAT_sat1svmap536_cert_details.log
/logs/web/output/accm/061218_0300_UAT_sat1svmap537_cert_details.log
/logs/web/output/accm/061218_0300_UAT_sat1svmap538_cert_details.log
/logs/web/output/accm/061218_1500_CAP_sat1svmap504_cert_details.log
/logs/web/output/accm/061218_1500_CAP_sat1svmap505_cert_details.log
/logs/web/output/accm/061218_1500_CAP_sat1svmap506_cert_details.log
/logs/web/output/accm/061218_1500_CAP_sat1svmap507_cert_details.log
For 13 June:
/logs/web/output/accm/061318_0300_CAP_dfw1svpap504_cert_details.log
/logs/web/output/accm/061318_0300_CAP_dfw1svpap505_cert_details.log
/logs/web/output/accm/061318_0300_CAP_sat1svmap535_cert_details.log
/logs/web/output/accm/061318_0300_CAP_sat1svmap536_cert_details.log
/logs/web/output/accm/061318_0300_PROD_dfw1svpap504_cert_details.log
/logs/web/output/accm/061318_0300_PROD_dfw1svpap505_cert_details.log
/logs/web/output/accm/061318_0300_PROD_dfw1svpap506_cert_details.log
/logs/web/output/accm/061318_0300_PROD_dfw1svpap507_cert_details.log
/logs/web/output/accm/061318_0300_PROD_sat1svmap535_cert_details.log
/logs/web/output/accm/061318_0300_PROD_sat1svmap536_cert_details.log
/logs/web/output/accm/061318_0300_PROD_sat1svmap537_cert_details.log
/logs/web/output/accm/061318_0300_PROD_sat1svmap538_cert_details.log
/logs/web/output/accm/061318_0300_UAT_dfw1svpap504_cert_details.log
/logs/web/output/accm/061318_0300_UAT_dfw1svpap505_cert_details.log
/logs/web/output/accm/061318_0300_UAT_dfw1svpap506_cert_details.log
/logs/web/output/accm/061318_0300_UAT_dfw1svpap507_cert_details.log
/logs/web/output/accm/061318_0300_UAT_sat1svmap535_cert_details.log
/logs/web/output/accm/061318_0300_UAT_sat1svmap536_cert_details.log
/logs/web/output/accm/061318_0300_UAT_sat1svmap537_cert_details.log
/logs/web/output/accm/061318_0300_UAT_sat1svmap538_cert_details.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @abhi04
why dont you create an alert in a usual way
your search | stats dc(source) as sourcecount
& in trigger conditions ---- choose Custom --- sourcecount<13
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to list the source as well which all are missing.
Index This | What’s a riddle wrapped in an enigma?
BORE at .conf25
OpenTelemetry for Legacy Apps? Yes, You Can!
