Alerting

Scheduling and Triggering An Alert if the keyword is not in logs

anandhalagarasa
Path Finder

Hi Team,

Usually the keyword "College Begins" would be repeated nearly 4 times in a minute in logs.

So i want to schedule an alert and email i.e. if the keyword " College Begins" is not there in the log for last 5 minutes. So my index=abc and host=def source=ijk

So i want the query to trigger an alert if the keyword College begins is not present in the logs.

Sample Logs:

2019-07-21 03:26:44,371|INFO|[1]|Name=XYZ|CollegeId=|College Begins
2019-07-22 05:30:48,761|DEBUG|[1]|Name=Ant|CollegeId=|College Ends
2019-07-22 05:30:48,761|DEBUG|[1]|Name=Ant|CollegeId=|College done

Tags (1)
0 Karma

woodcock
Esteemed Legend

Try this:

index=<You should always specify an index> AND sourcetype=<And sourcetype too> "College begins"
| streamstats window=2 range(_time) pause_seconds
| eval pause_seconds=coalesce(pause_seconds, now() - _time)
| where pause_seconds > (5 * 60)
0 Karma

adonio
Ultra Champion

try this:
index=abc and host=def source=ijk ... "College Begins" | stats count every 5 minutes
alert if count = 0

note, to make sure you dont miss anything, might be better to do something like this:
earliest = -7m@m latest=-2m@m ... rest of your search

hope it helps

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...