How to send email alert if certain text is found i...

scottystang · ‎05-04-2015

Hello,

I'm new to splunk and was curious if there's a way to configure an email alert that happens if certain text appears in a log file.

For example, in my sample.log file I want to check for the text "this is something bad" and then email me when it's found.

Can splunk do this? If so, can you point me to a tutorial as to how?

Thank you!

scottystang · ‎05-04-2015

Awesome, thanks for the replies. I'll give it a shot, sounds straight forward!

jeffland · ‎05-04-2015

You don't neccessarily need a tutorial for that, that's very simple!

One of the ideas of alerts is to send an email whenever a search returns (more than a certain number of of) results. So what you do is create a search as simple as

index=foo "this is something bad"

set the timeframe for the search and the schedule to something that suits your need (i.e. search over a timeframe of the last hour and schedule it to run every hour) and send you an alert as soon as it returns a result. If you want, have a look here for more detail.

richgalloway · ‎05-04-2015

Yes, Splunk can do that. First, create a search that looks for the text. Then schedule that search to run regularly by checking the "Schedule and Alert" box. Select "if number of events" from the Condition drop-down and put 0 (zero) as the triggering quantity. Check the "Send email" box under "Alert Actions" and fill in the To and CC fields as desired. Save those settings and you should get an alert the next time the search finds that text in your log file.

---
If this reply helps you, Karma would be appreciated.

How to send email alert if certain text is found in a log file?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...