Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- How to set up a real-time alert every time a keywo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So there are a few steps to get this done and it is not clear where you are in the process.
Is the log file in question already configured as a monitor input? If not, first you have to get the data into splunk and for that I would direct you here:
http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories
Once the data is in splunk you would want to run a search for the alert keyword to verify that it is only finding the expected results. This is as simple as logging into splunk and typing in the keyword and optionally picking a time range, since the default is "all-time"
Once you have confirmed that your search finds the expected results. I would go to Click "Save As->Alert" and set to real-time if you truly need real time alerts for this condition.
You will need to have email configured on your search head in order for email notifications to work. See the following page for more on this:
http://docs.splunk.com/Documentation/Splunk/6.2.1/Alert/Setupalertactions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So there are a few steps to get this done and it is not clear where you are in the process.
Is the log file in question already configured as a monitor input? If not, first you have to get the data into splunk and for that I would direct you here:
http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories
Once the data is in splunk you would want to run a search for the alert keyword to verify that it is only finding the expected results. This is as simple as logging into splunk and typing in the keyword and optionally picking a time range, since the default is "all-time"
Once you have confirmed that your search finds the expected results. I would go to Click "Save As->Alert" and set to real-time if you truly need real time alerts for this condition.
You will need to have email configured on your search head in order for email notifications to work. See the following page for more on this:
http://docs.splunk.com/Documentation/Splunk/6.2.1/Alert/Setupalertactions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi chanfoli,
Thanks for the answer! I am currently trying to figure out how to monitor the log file. When I click "monitor", Splunk does not let me select a file from my log file repository.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I missed your comment, but if the files are external to the sandbox instance, the standard way of getting them monitored and indexed involves installing a universal forwarder on the machine where the logs are generated, or at least a machine that has access to them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using Splunk 6.2 Sandbox
Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!
[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events
Data Management Digest – December 2025
