Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- monitor file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
monitor file
I was just wondering if Splunk can be scheduled to monitor a unique file e.g c:\test.txt regularly, and send out alerts if this file does not get updated for a specific time period , lets say for 5 minutes.
Please help, thks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it is quite simple. There are several ways to do it, but I recommend this:
| metadata type=sources | where source="C:\test.txt"
| eval "Last Update"=strftime(lasttime, "%c")
| table source "Last Update"
will list the file and the last time Splunk received data from that file. If this works for you, then use the following variation and alert if number of results > 0.
| metadata type=sources | where source="C:\test.txt"
| where lasttime < now()-300
| eval "Last Update"=strftime(lasttime, "%c")
| table source "Last Update"
now()-300 is the epoch time of "5 minutes ago"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
when i entered | metadata type=sources | where source="C:\test.txt"
| eval "Last Update"=strftime(lasttime, "%c")
| table source "Last Update"to search, nothing returns even though i got one file. Anything else i need to set? thks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A regular file monitoring can be setup for this file which will get indexed into a specific index/sourcetype. Once this is setup, you can create a schedule search which will run every 5min and check if there are any data from the file in the specific index/sourcetype, if not than trigger alert.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
