Splunk Trigger alert no transaction inside log fil...

karthi2809 · ‎04-26-2018

I have two directory having two log files

Directory:

/logs/Test1/
/logs/Test2/

The directory have two log files:

Logs:
error.log
systemout.log

Have to trigger alert for the directory and logs have no transaction for 10 min

p_gurav · ‎04-26-2018

Can you try this:

|metadata type=sources | eval since=now()-lastTime | search since>=600 | search source="*error.log*" OR source="*systemout.log*"

kmaron · ‎04-26-2018

Try this:

| stats count 
| eval source="/logs/Test1/error.log, /logs/Test1/systemout.log, /logs/Test2/error.log, /logs/Test2/systemout.log"
| makemv delim="," source 
| mvexpand source 
| append 
    [ search ... whatever search you would use to find these transactions from these files that includes the source] 
| stats sum(eval(if(isnull(_time),0,1))) as count by source
| where count < 1

Then set your alert to look back 10 minutes and trigger condition to Number of Results > 0

Splunk Trigger alert no transaction inside log file from the directory?

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Join the Conversation

Splunk Trigger alert no transaction inside log file from the directory?

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...