Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why check log file was not updated for more than 5 mins?

jenniferhao
Explorer
‎06-09-2022 01:14 PM

I have a log file which should be updated in every min, but some time service hung, so the file cannot get update. Need to send an alert: if the file wasn't updated more than 5mins.
But tried with the following different ways, the results seems not accurate. Any idea? Thanks.

I did:

index=abcapp source=abc.log"
| sort _time
|streamstats window=2 range(_time) as timediff
|table timediff _time
|eval alert=if(timediff>=5,1,0)
|where alert=1

OR
index=abcapp source="abc.log"
| sort _time
| delta _time as timediff
| eval alert = if(timediff>5,1,0)
|where alert =1

OR
index=abcapp source="abc.log" earliest=-5m latest=now
|stats count as num
| eval alert = if(num=0,1,0)
|where alert =1

Labels (2)
Labels
Tags (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-09-2022 01:47 PM 
| tstats max(_time) as _time where index=abcapp earliest=-20m
|where _time<now()-300

 

You can adjust the windows (earliest= parameter). Might not return proper values if you have some invalid timestamps from the future in your undex (didn't test for it though).

Reply

jenniferhao
Explorer
‎06-13-2022 05:16 AM

Thanks for helping, this works. 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...