real time monitoring of text file

rashidmirza · ‎10-16-2011

I would like to setup splunk so that i can pick up keywords the instant they appear in a text file. The text file is continiously being updated, and therefore the challenge is to pick up the keyword in the new text that was written to the file, and not look at the old text. I want to be notified via email the moment that keyword appears in the text file.
How can i achieve this in splunk:
What schedule type do i need?
Run every ?
Alert condition setting?
Throttle setting?
Expiration setting?

regards

rashidmirza · ‎10-18-2011

well, i have added the inputs.conf file to the folder that was suggested. I am now struggling with what condition to put for the alerts. Basically the following are at disposal: 1)always 2)if number of events 3)if number of hosts 4)if number of sources 5)if custom condition is met
need to know which one to define, so that the alert is sent out the moment the keyword is there in the new text that was written to in the dynamic text file.
Also i have set the start time as 'rt-60s' and finish time as 'rt'.

gkanapathy · ‎10-17-2011

You should use a realtime search, not a scheduled one. The alert condition and throttle settings are up to you, but presumably your alert condition should simply be "always", based on your description. I would advise you to read the documentation on alerts:

http://docs.splunk.com/Documentation/Splunk/latest/User/MonitoringRecurringSituations

in particular, there are examples linked from there that exactly match your requirements, as well as more in-depth discussion should you ever need to do something different.

gkanapathy · ‎10-17-2011

I see. Then you're going to have run a realtime search over a window with a suppression period equal to that window (which isn't ideal) or wait for the next release that will have per-result alerting that can clear the queue on each alert.

rashidmirza · ‎10-17-2011

when i say failed in my previous statement, i mean i was getting alerts because of the previous presence of the keywords in the text file, where in fact i want to be alerted if there is a new entry of the keyword in the text file.

rashidmirza · ‎10-17-2011

well i have tried realtime search by running my created search name under searches and reports, and defined a realtime search with a window of 1 minute.
Also set the alert condition to always, but seem to have failed. Will look at the link you suggested.

rashidmirza · ‎10-17-2011

My setup is as follows:
in 'Get data from files and directories' under 'Advanced Options' i enabled the 'Follow Tail'.
In the 'Searches and Reports' , Alerts section, if i give Alert condition as 'always' then i am continiously getting alerts, when infact i want to be alerted only when the key word exists in new text that was written to the text file, since a 'Follow Tail' was done.
Need to know what the appropriate alert needs to be for this setup.

rashidmirza · ‎10-17-2011

yes i know what the keyword is...

Drainy · ‎10-17-2011

Do you know what the keyword will be in advance?

real time monitoring of text file

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

real time monitoring of text file

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25