monitor file

newbiesplunk · ‎06-03-2014

I was just wondering if Splunk can be scheduled to monitor a unique file e.g c:\test.txt regularly, and send out alerts if this file does not get updated for a specific time period , lets say for 5 minutes.
Please help, thks

lguinn2 · ‎06-03-2014

Yes, it is quite simple. There are several ways to do it, but I recommend this:

| metadata type=sources | where source="C:\test.txt" 
| eval "Last Update"=strftime(lasttime, "%c")
| table source "Last Update"

will list the file and the last time Splunk received data from that file. If this works for you, then use the following variation and alert if number of results > 0.

| metadata type=sources | where source="C:\test.txt" 
| where lasttime < now()-300
| eval "Last Update"=strftime(lasttime, "%c")
| table source "Last Update"

now()-300 is the epoch time of "5 minutes ago"

newbiesplunk · ‎06-05-2014

Hi,
when i entered | metadata type=sources | where source="C:\test.txt"
| eval "Last Update"=strftime(lasttime, "%c")
| table source "Last Update"to search, nothing returns even though i got one file. Anything else i need to set? thks

somesoni2 · ‎06-03-2014

A regular file monitoring can be setup for this file which will get indexed into a specific index/sourcetype. Once this is setup, you can create a schedule search which will run every 5min and check if there are any data from the file in the specific index/sourcetype, if not than trigger alert.

monitor file

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!