Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Suggestion for a search to raise an alert when there is a pattern missing in the log file

swethaJ
New Member
‎10-06-2016 12:20 AM

Please provide sample search query for the below case:

The possibility of monitoring the logs and raise an alert when there is a pattern missing in the log file.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-06-2016 09:03 AM

Hi Swetha,
first you can create a search query -
index=os_nix host=hostname source=/var/log/messages "pattern-msg"

after the search query bar and just above the time-picker, you have a "Save As" down drop menu.
it will give you three options - Report, Dashboard panel, Alert. choose the 3rd one - Alert.

Scheduled Vs Real-time alerts - for alert type comparisions -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/AlertTypesOverview

this is for creating scheduled alerts -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Definescheduledalerts

the search condition - you can choose trigger condition as "pattern match < 0" (when there is a pattern missing in the log file)
alt text

once the alert condition got matched, you can create an email notification -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Emailnotification

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-06-2016 09:03 AM

Hi Swetha,
first you can create a search query -
index=os_nix host=hostname source=/var/log/messages "pattern-msg"

after the search query bar and just above the time-picker, you have a "Save As" down drop menu.
it will give you three options - Report, Dashboard panel, Alert. choose the 3rd one - Alert.

Scheduled Vs Real-time alerts - for alert type comparisions -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/AlertTypesOverview

this is for creating scheduled alerts -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Definescheduledalerts

the search condition - you can choose trigger condition as "pattern match < 0" (when there is a pattern missing in the log file)
alt text

once the alert condition got matched, you can create an email notification -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Emailnotification

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Preview file
1 KB
Reply
Solved! Jump to solution

swethaJ
New Member
‎10-06-2016 09:50 PM

Thank you. I will try this option

0 Karma
Reply
Get Updates on the Splunk Community!

Digital Resilience Assessment Launch | How prepared are you for disruption?

Disruption is inevitable. The question is – how prepared are you to handle it? In today’s fast-moving digital ...

Buttercup Games: Further Dashboarding Techniques (Part 2)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Index This | What is the next number in the series? 7,645 5,764 4,576…

February 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...