Solved: Re: Monitor last updated time stamp for trace file...

CaptainHook · ‎05-09-2016

Can somebody please educate me on how I can set up a monitor for this type of request?
The requirement is to check the last time stamp updated at the end of the file. (NOT the time stamp on the file). Check the last updated time stamp for trace file and generate alert if the file is not updated in the last 45 min.

(d:\Program Files (x86)\CA\log\xxxx.trace)
Thanks in advance

jkat54 · ‎05-09-2016

Just monitor the file and make sure timestamps are extracted from the data. Put it into a specific index like "caTracer".

Then run a search on caTracer with latest=-45m and create an alert that triggers if number of results equals 0.

If you provide sample data from the file, we can help you extract the timestamp correctly from the data.

View solution in original post

jkat54 · ‎05-09-2016

Just monitor the file and make sure timestamps are extracted from the data. Put it into a specific index like "caTracer".

Then run a search on caTracer with latest=-45m and create an alert that triggers if number of results equals 0.

If you provide sample data from the file, we can help you extract the timestamp correctly from the data.

CaptainHook · ‎05-09-2016

Thank you, that makes simple sense of the monitor.

jkat54 · ‎05-09-2016

I see you posted sample events... do you need any help extracting time?

CaptainHook · ‎05-10-2016

That would be a great help, if you don't mind.

jensonthottian · ‎05-09-2016

http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/MonitorChangestoYourFileSystem-

Monitor file system

[fschange:]
signedaudit = false
index=_audit

jkat54 · ‎05-09-2016

He said NOT the timestamp of the file.

jensonthottian · ‎05-09-2016

can you provide a sample event for the same, if its not the timestamp then it must be another field which is corresponding to "last updated time".

jensonthottian · ‎05-09-2016

yes this should work too if you jusr monitoring the changes to a file- http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/MonitorChangestoYourFileSystem

CaptainHook · ‎05-09-2016

[2688][6200][05/09/2016][11:52:19.194][_new][][][CSmMessage::ParseAgentMessage][SmMessage.cpp:514][][Receive request attribute 166, data size is 3][][][][][][][128][][][][][][][]
[2688][6200][05/09/2016][11:52:19.194][_new][][][CSmMessage::ParseAgentMessage][SmMessage.cpp:514][][Receive request attribute 148, data size is 1][][][][][][][1][][][][][][][]
[2688][6200][05/09/2016][11:52:19.194][_new][][][CSmMessage::ParseAgentMessage][SmMessage.cpp:514][][Receive request attribute 149, data size is 0][][][][][][][][][][][][][][]
[2688][6200][05/09/2016][11:52:19.194][_new][][][CSmMessage::ParseAgentMessage][SmMessage.cpp:514][][Receive request attribute 145, data size is 1618][][][][][][][

I am thinking that we can only go by the timestamp in the file to monitor on these events...

CaptainHook · ‎05-09-2016

I have been trying to determine if http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/MonitorChangestoYourFileSystem would be an appropriate path to venture down.

Monitor last updated time stamp for trace file and generate alert if the file is not updated in the last 45 min.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms