Getting Data In

real time monitoring of text file

rashidmirza
New Member

I would like to setup splunk so that i can pick up keywords the instant they appear in a text file. The text file is continiously being updated, and therefore the challenge is to pick up the keyword in the new text that was written to the file, and not look at the old text. I want to be notified via email the moment that keyword appears in the text file.
How can i achieve this in splunk:
What schedule type do i need?
Run every ?
Alert condition setting?
Throttle setting?
Expiration setting?

regards

Tags (2)
0 Karma

rashidmirza
New Member

well, i have added the inputs.conf file to the folder that was suggested. I am now struggling with what condition to put for the alerts. Basically the following are at disposal: 1)always 2)if number of events 3)if number of hosts 4)if number of sources 5)if custom condition is met
need to know which one to define, so that the alert is sent out the moment the keyword is there in the new text that was written to in the dynamic text file.
Also i have set the start time as 'rt-60s' and finish time as 'rt'.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You should use a realtime search, not a scheduled one. The alert condition and throttle settings are up to you, but presumably your alert condition should simply be "always", based on your description. I would advise you to read the documentation on alerts:

http://docs.splunk.com/Documentation/Splunk/latest/User/MonitoringRecurringSituations

in particular, there are examples linked from there that exactly match your requirements, as well as more in-depth discussion should you ever need to do something different.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I see. Then you're going to have run a realtime search over a window with a suppression period equal to that window (which isn't ideal) or wait for the next release that will have per-result alerting that can clear the queue on each alert.

0 Karma

rashidmirza
New Member

when i say failed in my previous statement, i mean i was getting alerts because of the previous presence of the keywords in the text file, where in fact i want to be alerted if there is a new entry of the keyword in the text file.

0 Karma

rashidmirza
New Member

well i have tried realtime search by running my created search name under searches and reports, and defined a realtime search with a window of 1 minute.
Also set the alert condition to always, but seem to have failed. Will look at the link you suggested.

0 Karma

rashidmirza
New Member

My setup is as follows:
in 'Get data from files and directories' under 'Advanced Options' i enabled the 'Follow Tail'.
In the 'Searches and Reports' , Alerts section, if i give Alert condition as 'always' then i am continiously getting alerts, when infact i want to be alerted only when the key word exists in new text that was written to the text file, since a 'Follow Tail' was done.
Need to know what the appropriate alert needs to be for this setup.

0 Karma

rashidmirza
New Member

yes i know what the keyword is...

0 Karma

Drainy
Champion

Do you know what the keyword will be in advance?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...