I have below splunk query and look for help on that
| tstats latest(_time) as updated_time where index="idx_rwmsna" source="E:\\Busapps\\rwms\\mna1\\geodev12\\Edition\\logs\\DEFAULT_activity_1.log" host=ATLWMSVP45
| eval status=if(updated_time>(now()-60),"ok","ko")
| sort - _time
| where status="ko"
I wanted to monitor the above log file and if its not getting updated I need to send an email, I am trying it but even for 1 min alert is not getting triggered.
Can someone help to check the above code and let me know if I am missing anything here.
Appreciate your input
Regards
Amit
Hi @Amit79 ,
have you results from the main search ?
| tstats latest(_time) as updated_time where index="idx_rwmsna" source="E:\\Busapps\\rwms\\mna1\\geodev12\\Edition\\logs\\DEFAULT_activity_1.log" host=ATLWMSVP45
Ciao.
Giuseppe
Hello Sir,
Thanks for your response but I am not getting your question, the script I put is my alert script and its giving me updated timestamp for that file, and i am just checking if its updated in certain time period or no?
But if you think I am missing anything on the script please let me know.
Regards
Amit
Hi @Amit79,
you asked the repracement syntax for a deprecated tag and I gave the new one.
Let me know how can I help you more.
Ciao.
Giuseppe
Thank you Sir.
I just wanted to check if the code which I have put in is correct or am I making any mistakes with my logic ?
Regards
Amit
i @Amit79,
good for you, see next time!
let me know if I can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉