Using logs stored in a CSV file, how do I create a...

rick2015 · ‎04-12-2016

Hi,

I have a CSV file where logs are stored if a user adds, creates, or delete files.
I wanted to set up an alert if someone deletes files. How can I do this?

Regards

somesoni2 · ‎04-13-2016

Assuming that the field extraction is setup correctly, and the field Action contains a definite keyword if a delete action is performed, try something like this

index=foo sourcetype=bar Action="delete" | table _time ,Users, IP, "Connection type", "Access resources", Action

Run this search at the frequency that you need and set the time range to match the frequency (e.g. alert running every 15 minute and time range is set to last 15 min : -15m@m to @m).

somesoni2 · ‎04-12-2016

What all fields are available in the csv file? Is it available as lookup table in Splunk OR you're monitoring the csv file to be stored in an index?

rick2015 · ‎04-13-2016

fields are: Time :Users:IP:Connection type:Access resources:Action

On the csv file there is continuously monitoring.

Using logs stored in a CSV file, how do I create an alert to trigger if a user deletes a file?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Using logs stored in a CSV file, how do I create an alert to trigger if a user deletes a file?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...