create alert to monitor the update of a file


I need to monitor the file last modified date, trigger an alert when there is no change in the last modified date of the file for more than 8mins, what will be the config like? thks

Tags (3)
0 Karma

Splunk Employee
Splunk Employee

Think of it this way...

Your search must produce a value to test.
So you compare the last modified date to the current date, and if they're the same, you have no change.
in terms of Splunk that would be where you create a field via eval, use an if statement and set a flag, ie if it's the same set a 1 if not a 0. Then you're going to sum those flags.
You'll run the search with earliest=-8m and perhaps latest=now
Your alert will run, say every 9 minutes and trigger if the search produces a number > 1

you could get pretty sophisticated if you used streamstats, which allows you to sort of "walk" through the events and pick the ones you want to compare to each other... but that's probably for later.

If you want more detail, you can provide us with an example of an event and the search you're working on to produce your alert trigger...

Perhaps you want to take a look at the Alerting Recipes section of David Carasso's Book Exploring Splunk. It's a free book. That discusses converting monitors to alerts and might help you see the right angles.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...