Using logs stored in a CSV file, how do I create a...

rick2015 · ‎04-12-2016

Hi,

I have a CSV file where logs are stored if a user adds, creates, or delete files.
I wanted to set up an alert if someone deletes files. How can I do this?

Regards

somesoni2 · ‎04-13-2016

Assuming that the field extraction is setup correctly, and the field Action contains a definite keyword if a delete action is performed, try something like this

index=foo sourcetype=bar Action="delete" | table _time ,Users, IP, "Connection type", "Access resources", Action

Run this search at the frequency that you need and set the time range to match the frequency (e.g. alert running every 15 minute and time range is set to last 15 min : -15m@m to @m).

somesoni2 · ‎04-12-2016

What all fields are available in the csv file? Is it available as lookup table in Splunk OR you're monitoring the csv file to be stored in an index?

rick2015 · ‎04-13-2016

fields are: Time :Users:IP:Connection type:Access resources:Action

On the csv file there is continuously monitoring.

Using logs stored in a CSV file, how do I create an alert to trigger if a user deletes a file?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation