Newly created Sourcetype should alert in Splunk Alerts

Path Finder

Hi Team,

I have a requirement that to ingest a particular logs from a client machine so I have created a custom app with inputs in place. i.e. with source & sourcetype. Here sourcetype i have created newly as abcd. And I have pushed the custom app from Deployment server which in turn its getting applied to indexers and the log has been ingested into Splunk Cloud.

My query is that for each and every sourcetype which we create newly should be reported to Security Operations team so that they will keep track of it.

For example if a new sourcetype has been created and deployed from our end then the same day or the consecutive day an email has to be triggered to Security Operations team.

So what would be the search query to fetch the data.

Tags (1)
0 Karma


Hi anandhalagarasan,
if you want a daily check you could schedule an alert running e.g. at 00.15 with a search like this one:

index=_internal earliest=-d@d latest=@d
| stats dc(date_mday) AS count_day max(date_mday) AS day BY sourcetype
| eval checkdate=if(day=tonumber(strftime(now(),"%d"))-1,"OK","NOK")
| where checkdate="OK" AND count_day>1

Remember that it isn't a good idea to have too many sourcetypes and that all the knowledhe object (as fields, tags, eventtypes, etc...) are related to sourcetype, so if you continuosly add new ones it's more difficolut to use them.


0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...