I have a log file which should be updated in every min, but some time service hung, so the file cannot get update. Need to send an alert: if the file wasn't updated more than 5mins. But tried with t...
See more...
I have a log file which should be updated in every min, but some time service hung, so the file cannot get update. Need to send an alert: if the file wasn't updated more than 5mins. But tried with the following different ways, the results seems not accurate. Any idea? Thanks.
I did:
index=abcapp source=abc.log" | sort _time |streamstats window=2 range(_time) as timediff |table timediff _time |eval alert=if(timediff>=5,1,0) |where alert=1
OR index=abcapp source="abc.log" | sort _time | delta _time as timediff | eval alert = if(timediff>5,1,0) |where alert =1
OR index=abcapp source="abc.log" earliest=-5m latest=now |stats count as num | eval alert = if(num=0,1,0) |where alert =1