Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- How to set up an alert email to trigger whenever a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set up an alert email to trigger whenever a file is updated or modified and include the changes in the email?
Hi all,
I have a monitor set up which monitors the mod-time on a file and reindexes the new one if available. I would like to set up alerts so that whenever a file is "updated or modified" it sends an email, possibly with the changes in the email. I would use the unique problem number associated with each file as well as the queue that it is relevant to ( they are both fields) I.E.
Original File
______________________________________________________
John's Queue-
Problem Number- 1234
Problem Text-
The problem seems to be associated with a Disk Drive
________________________________________________________
Modified File
_______________________________________________________
John's Queue-
Problem Number- 1234
Problem Text-
The problem seems to be associated with a Disk Drive
Update- The problem turned out to be the cable not the disk drive
______________________________________________________________________
This would trigger an alert that would send out an email which would hopefully send out either the new event or just the updated portion, if this is not possible than a simple alert would suffice. My end goal is to achieve one of the 3 scenarios listed below. Thank you in advance.
Email scenario 1
___________________________________________________________________
Hello John, problem numer 1234 has been modified, the changes are listed below
"Update- The problem turned out to be the cable not the disk drive"
_______________________________________________________________________
Email scenario 2
___________________________________________________________________
Hello John, problem numer 1234 has been modified, the updated event is listed below
John's Queue-
Problem Number- 1234
Problem Text-
The problem seems to be associated with a Disk Drive
Update- The problem turned out to be the cable not the disk drive
_______________________________________________________________________
Email scenario 3
___________________________________________________________________
Hello John, problem numer 1234 has been modified
_______________________________________________________________________
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is configured to re-index if the mod_time changes, should i change it? Also the content comes in as one event, this contains the problem number and all the text and information associated with it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you've configure crcSalt in inputs.conf to re-index the file if the content changes??
How are the event broken, does whole file content comes as one event OR each line as one event?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
