Why check log file was not updated for more than 5...

jenniferhao · ‎06-09-2022

I have a log file which should be updated in every min, but some time service hung, so the file cannot get update. Need to send an alert: if the file wasn't updated more than 5mins.
But tried with the following different ways, the results seems not accurate. Any idea? Thanks.

I did:

OR
index=abcapp source="abc.log"
| sort _time
| delta _time as timediff
| eval alert = if(timediff>5,1,0)
|where alert =1

OR
index=abcapp source="abc.log" earliest=-5m latest=now
|stats count as num
| eval alert = if(num=0,1,0)
|where alert =1

PickleRick · ‎06-09-2022

| tstats max(_time) as _time where index=abcapp earliest=-20m
|where _time<now()-300

You can adjust the windows (earliest= parameter). Might not return proper values if you have some invalid timestamps from the future in your undex (didn't test for it though).

jenniferhao · ‎06-13-2022

Thanks for helping, this works.

Why check log file was not updated for more than 5 mins?

search head

splunkd

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation