Splunk Trigger alert no transaction inside log fil...

karthi2809 · ‎04-26-2018

I have two directory having two log files

Directory:

/logs/Test1/
/logs/Test2/

The directory have two log files:

Logs:
error.log
systemout.log

Have to trigger alert for the directory and logs have no transaction for 10 min

p_gurav · ‎04-26-2018

Can you try this:

|metadata type=sources | eval since=now()-lastTime | search since>=600 | search source="*error.log*" OR source="*systemout.log*"

kmaron · ‎04-26-2018

Try this:

| stats count 
| eval source="/logs/Test1/error.log, /logs/Test1/systemout.log, /logs/Test2/error.log, /logs/Test2/systemout.log"
| makemv delim="," source 
| mvexpand source 
| append 
    [ search ... whatever search you would use to find these transactions from these files that includes the source] 
| stats sum(eval(if(isnull(_time),0,1))) as count by source
| where count < 1

Then set your alert to look back 10 minutes and trigger condition to Number of Results > 0

Splunk Trigger alert no transaction inside log file from the directory?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

Splunk Trigger alert no transaction inside log file from the directory?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!