Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Create Alert if condition is met?

Chinni611
Loves-to-Learn Lots
‎10-26-2022 05:33 PM

Hi , 

I have a scenario where the files needs to be transferred for both inbound and outbound at 2 am daily. 

I need to create an alert when files are present in inbound by 2 am but missing in outbound by 2 am . 

Here is my query below. please help 

index=cas source="/bin/var/logs/log"  File 1OR File 2 OR File 3 OR File 4 Inbound 

for outbound condition is to change to outbound and File 1 represents the file that is getting transferred 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-26-2022 11:47 PM

Hi @Chinni611,

could you better describe how to recognize inbound from outbound?

in oher words; is there a string in one event? or there's a file with a different name?

Ciao.

Giuseppe

0 Karma
Reply

Chinni611
Loves-to-Learn Lots
‎10-27-2022 07:08 AM

differentiation is just by IP address for inbound (x.x.x) or not api - outbound is api.com address .File is same ( file is getting transported to both the places first inbound and later outbound) we need to track if file is present in inbound but missing in outbound at 2:01 am daily 

0 Karma
Reply

johnhuang
Motivator
‎10-26-2022 06:01 PM

Could you provide some sample data?

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...