Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create Alert if condition is met?

Chinni611
Loves-to-Learn Lots
‎10-26-2022 05:33 PM

Hi , 

I have a scenario where the files needs to be transferred for both inbound and outbound at 2 am daily. 

I need to create an alert when files are present in inbound by 2 am but missing in outbound by 2 am . 

Here is my query below. please help 

index=cas source="/bin/var/logs/log"  File 1OR File 2 OR File 3 OR File 4 Inbound 

for outbound condition is to change to outbound and File 1 represents the file that is getting transferred 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-26-2022 11:47 PM

Hi @Chinni611,

could you better describe how to recognize inbound from outbound?

in oher words; is there a string in one event? or there's a file with a different name?

Ciao.

Giuseppe

0 Karma
Reply

Chinni611
Loves-to-Learn Lots
‎10-27-2022 07:08 AM

differentiation is just by IP address for inbound (x.x.x) or not api - outbound is api.com address .File is same ( file is getting transported to both the places first inbound and later outbound) we need to track if file is present in inbound but missing in outbound at 2:01 am daily 

0 Karma
Reply

johnhuang
Motivator
‎10-26-2022 06:01 PM

Could you provide some sample data?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...