Hi,
I'm ingest files from a different folder. If i want to create an alert when the file last modified file is more than specified time like 10mins from now, how to create the alert? thks
Well, you don't have access to "file last modified time" on a file that you are indexing, but you do have access to the last time that Splunk saw new data from that file:
| metadata type=sources | where lasttime < now()-600
This will give you a list of all files that have had no new data in the last 10 minutes. You might want to add a search at the end to filter out for a particular directory:
| metadata type=sources | where lasttime < now()-600 | search source=*/mydir/*
Then you can save the search as an alert with the criteria of "# results > 0"
This search will run very very quickly.
When i search using this statement, it return more than 2 results that already index, if it correct?
| metadata type=sources index="monitorfolder" | where lastTime < now()-300| search source="D:\xml\check\test.xml"
if the file modification time can be assigned to the splunk event then it will work.
|stats latest(_time) as LastModified|where LastModified < now()-600
index="test" source="D:\splunk\text\rest 1.txt" | where _time < now() - 600
will not work. I have updated my answer - it had a typo as @martin_mueller pointed out.
Run the search exactly as written (now that it is fixed).
Is there anything need to configure as "| metadata type=hosts" to my search it return no results?
| metadata type=source | where lasttime < now()-600 seems does not work. Can assist?
Hi, thks for the info,would like to check whether if the below search correcgt to trigger alert when there is no update of the file for more than 10 mins?
index="test" source="D:\splunk\text\rest 1.txt" | where _time < now() - 600
There's an "s" missing:
| metadata type=sources | ...