Solved: Splunk alert for failing to read log files.

travelcsa · ‎01-30-2015

Is there an alert in Splunk or one we can set up that will alert us if Splunk hasn't read log files for more than 5 minutes.

travelcsa · ‎02-02-2015

Sanjay,

Thank you for that. Here is my final query. Since we have to monitor 10 production servers, I saved this and created an alert that looks for 10 hosts. If Splunk stops receiving logs from any of the 10, the alert notifies us and works perfectly.

host=web10 OR host=web11 OR host=web12 OR host=web13 OR host=web14 OR host=soa20 OR host=soa21 OR host=soa22 OR host=soa23 OR host=soa24 earliest=-5m latest=now | stats count(host) by host

Much appreciated.

View solution in original post

travelcsa · ‎02-02-2015

Sanjay,

Thank you for that. Here is my final query. Since we have to monitor 10 production servers, I saved this and created an alert that looks for 10 hosts. If Splunk stops receiving logs from any of the 10, the alert notifies us and works perfectly.

host=web10 OR host=web11 OR host=web12 OR host=web13 OR host=web14 OR host=soa20 OR host=soa21 OR host=soa22 OR host=soa23 OR host=soa24 earliest=-5m latest=now | stats count(host) by host

Much appreciated.

sanjay_shrestha · ‎01-30-2015

Yes. You can create a alert for a search query as below:

host=yourhost earliest=-5m latest=now|stats count

Splunk alert for failing to read log files.

Unleash Unified Security and Observability with Splunk Cloud Platform

Enterprise Security Content Update (ESCU) | New Releases

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!