Monitoring file on unix and alerting based on some...

abhijitsaoji · ‎07-22-2019

I have set file monitoring, file is placed on the Unix . I am able to see the events being indexed in the Splunk however my alerting is not working. on the same file I have set-up some conditional alerting, I want an alert to be raised if particular text appears in the file however it is not triggering.any idea?

skalliger · ‎07-24-2019

To troubleshoot this, we need atleast two things: example data and the SPL (your query) which should fire.

Skalli

abhijitsaoji · ‎07-24-2019

hey, thanks for the reply. I can't give actual search, but this should do. as

my search in the saved alert:
source="/opt/splunk/akash_test/test" host="XXX" sourcetype="XXX" "test"

as it was not working just to test I was running this above search in my alert. I am editing the file and adding word test in it so that my Alert catches it and send email but its not happening. its a real time search and file is placed on Unix. As i mentioned data is getting indexed in the Splunk I can see it in the Search.

Example data:
test
ABC
test
xxx
test

Monitoring file on unix and alerting based on some condition on the same file