Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Trigger alert no transaction inside log file from the directory?

karthi2809
Contributor
‎04-26-2018 12:18 AM

I have two directory having two log files

Directory:

/logs/Test1/
/logs/Test2/

The directory have two log files:

Logs:
error.log
systemout.log

Have to trigger alert for the directory and logs have no transaction for 10 min

0 Karma
Reply

p_gurav
Champion
‎04-26-2018 06:28 AM

Can you try this:

|metadata type=sources | eval since=now()-lastTime | search since>=600 | search source="*error.log*" OR source="*systemout.log*"
0 Karma
Reply

kmaron
Motivator
‎04-26-2018 05:37 AM

Try this:

| stats count 
| eval source="/logs/Test1/error.log, /logs/Test1/systemout.log, /logs/Test2/error.log, /logs/Test2/systemout.log"
| makemv delim="," source 
| mvexpand source 
| append 
    [ search ... whatever search you would use to find these transactions from these files that includes the source] 
| stats sum(eval(if(isnull(_time),0,1))) as count by source
| where count < 1

Then set your alert to look back 10 minutes and trigger condition to Number of Results > 0

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...