Alerting

alert when there is no change in the modified date of the file

SplunkCSIT
Communicator

Hi,
I'm ingest files from a different folder. If i want to create an alert when the file last modified file is more than specified time like 10mins from now, how to create the alert? thks

Tags (1)
0 Karma

lguinn2
Legend

Well, you don't have access to "file last modified time" on a file that you are indexing, but you do have access to the last time that Splunk saw new data from that file:

| metadata type=sources | where lasttime < now()-600

This will give you a list of all files that have had no new data in the last 10 minutes. You might want to add a search at the end to filter out for a particular directory:

| metadata type=sources | where lasttime < now()-600 | search source=*/mydir/*

Then you can save the search as an alert with the criteria of "# results > 0"

This search will run very very quickly.

0 Karma

newbiesplunk
Path Finder

When i search using this statement, it return more than 2 results that already index, if it correct?

| metadata type=sources index="monitorfolder" | where lastTime < now()-300| search source="D:\xml\check\test.xml"

0 Karma

linu1988
Champion

if the file modification time can be assigned to the splunk event then it will work.

|stats latest(_time) as LastModified|where LastModified < now()-600

0 Karma

lguinn2
Legend

index="test" source="D:\splunk\text\rest 1.txt" | where _time < now() - 600

will not work. I have updated my answer - it had a typo as @martin_mueller pointed out.
Run the search exactly as written (now that it is fixed).

SplunkCSIT
Communicator

Is there anything need to configure as "| metadata type=hosts" to my search it return no results?

0 Karma

SplunkCSIT
Communicator

| metadata type=source | where lasttime < now()-600 seems does not work. Can assist?

0 Karma

SplunkCSIT
Communicator

Hi, thks for the info,would like to check whether if the below search correcgt to trigger alert when there is no update of the file for more than 10 mins?

index="test" source="D:\splunk\text\rest 1.txt" | where _time < now() - 600

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

There's an "s" missing:

| metadata type=sources | ...
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...