Alerting

How to set up a real-time alert every time a keyword is found in a log file that is constantly updated?

Engager

Hi all,

I am new to splunk. I would like to set up real time updating on a log file, so that splunk can alert every time it finds a keyword in the log file. The log file is constantly being updated by an external source.

Tags (3)
0 Karma
1 Solution

Builder

So there are a few steps to get this done and it is not clear where you are in the process.

Is the log file in question already configured as a monitor input? If not, first you have to get the data into splunk and for that I would direct you here:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories

Once the data is in splunk you would want to run a search for the alert keyword to verify that it is only finding the expected results. This is as simple as logging into splunk and typing in the keyword and optionally picking a time range, since the default is "all-time"

Once you have confirmed that your search finds the expected results. I would go to Click "Save As->Alert" and set to real-time if you truly need real time alerts for this condition.

You will need to have email configured on your search head in order for email notifications to work. See the following page for more on this:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Alert/Setupalertactions

View solution in original post

Builder

So there are a few steps to get this done and it is not clear where you are in the process.

Is the log file in question already configured as a monitor input? If not, first you have to get the data into splunk and for that I would direct you here:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories

Once the data is in splunk you would want to run a search for the alert keyword to verify that it is only finding the expected results. This is as simple as logging into splunk and typing in the keyword and optionally picking a time range, since the default is "all-time"

Once you have confirmed that your search finds the expected results. I would go to Click "Save As->Alert" and set to real-time if you truly need real time alerts for this condition.

You will need to have email configured on your search head in order for email notifications to work. See the following page for more on this:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Alert/Setupalertactions

View solution in original post

Engager

Hi chanfoli,

Thanks for the answer! I am currently trying to figure out how to monitor the log file. When I click "monitor", Splunk does not let me select a file from my log file repository.

0 Karma

Builder

Sorry I missed your comment, but if the files are external to the sandbox instance, the standard way of getting them monitored and indexed involves installing a universal forwarder on the machine where the logs are generated, or at least a machine that has access to them.

0 Karma

Engager

I am using Splunk 6.2 Sandbox

0 Karma