Why check log file was not updated for more than 5...

jenniferhao · ‎06-09-2022

I have a log file which should be updated in every min, but some time service hung, so the file cannot get update. Need to send an alert: if the file wasn't updated more than 5mins.
But tried with the following different ways, the results seems not accurate. Any idea? Thanks.

I did:

OR
index=abcapp source="abc.log"
| sort _time
| delta _time as timediff
| eval alert = if(timediff>5,1,0)
|where alert =1

OR
index=abcapp source="abc.log" earliest=-5m latest=now
|stats count as num
| eval alert = if(num=0,1,0)
|where alert =1

PickleRick · ‎06-09-2022

| tstats max(_time) as _time where index=abcapp earliest=-20m
|where _time<now()-300

You can adjust the windows (earliest= parameter). Might not return proper values if you have some invalid timestamps from the future in your undex (didn't test for it though).

jenniferhao · ‎06-13-2022

Thanks for helping, this works.

Why check log file was not updated for more than 5 mins?

search head

splunkd

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?