Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set up a real-time alert every time a keyword is found in a log file that is constantly updated?

tylerli800
Engager
‎01-07-2015 11:42 AM

Hi all,

I am new to splunk. I would like to set up real time updating on a log file, so that splunk can alert every time it finds a keyword in the log file. The log file is constantly being updated by an external source.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chanfoli
Builder
‎01-07-2015 12:24 PM

So there are a few steps to get this done and it is not clear where you are in the process.

Is the log file in question already configured as a monitor input? If not, first you have to get the data into splunk and for that I would direct you here:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories

Once the data is in splunk you would want to run a search for the alert keyword to verify that it is only finding the expected results. This is as simple as logging into splunk and typing in the keyword and optionally picking a time range, since the default is "all-time"

Once you have confirmed that your search finds the expected results. I would go to Click "Save As->Alert" and set to real-time if you truly need real time alerts for this condition.

You will need to have email configured on your search head in order for email notifications to work. See the following page for more on this:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Alert/Setupalertactions

View solution in original post

Reply
Solved! Jump to solution
Solution

chanfoli
Builder
‎01-07-2015 12:24 PM

So there are a few steps to get this done and it is not clear where you are in the process.

Is the log file in question already configured as a monitor input? If not, first you have to get the data into splunk and for that I would direct you here:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories

Once the data is in splunk you would want to run a search for the alert keyword to verify that it is only finding the expected results. This is as simple as logging into splunk and typing in the keyword and optionally picking a time range, since the default is "all-time"

Once you have confirmed that your search finds the expected results. I would go to Click "Save As->Alert" and set to real-time if you truly need real time alerts for this condition.

You will need to have email configured on your search head in order for email notifications to work. See the following page for more on this:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Alert/Setupalertactions

Reply
Solved! Jump to solution

tylerli800
Engager
‎01-07-2015 12:28 PM

Hi chanfoli,

Thanks for the answer! I am currently trying to figure out how to monitor the log file. When I click "monitor", Splunk does not let me select a file from my log file repository.

0 Karma
Reply
Solved! Jump to solution

chanfoli
Builder
‎01-13-2015 01:59 PM

Sorry I missed your comment, but if the files are external to the sandbox instance, the standard way of getting them monitored and indexed involves installing a universal forwarder on the machine where the logs are generated, or at least a machine that has access to them.

0 Karma
Reply
Solved! Jump to solution

tylerli800
Engager
‎01-07-2015 12:20 PM

I am using Splunk 6.2 Sandbox

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...