Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert for searching log file in case it do not exist

deepti123
New Member
‎02-24-2011 07:49 AM

I am new to Splunk and want to know the steps how can I add an alert in Manager<< Data & Reports<< new ,in order to search a log file for a particular day preferably (if i search on 27-feb the it should search logfile for 27-feb(same day) only) and in case if the log file does not exist then the alert is to be created and an email has to be send.The log files are available in Manager << Data Input<

Please tell me steps how can i proceed on this?

Tags (1)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎02-24-2011 08:13 AM

Well, in the main search ui, set the TimeRangePicker to 'Today', by going to "Other" >> "Today"

Then search for the file in question, probably with source="<your logfile name>"

Then in the Actions menu, select save search

a little modal popup layer will open. Scroll down a little and you'll see a checkbox for Schedule this search. Check that.

A few more fields will open up.

Set 'run every' to something sensible, perhaps 'every day at 6pm'. Or you can enter a custom cron string. (I might avoid setting it to 'every day at midnight', because the 'today' timerange might get interpreted as 'tomororow' if you follow what I'm saying. But you can test this for yourself)

In the Perform actions section, change it from always to if number of events. From this point it'll be clear how you can make the alert trigger if the number of events is zero.

check the 'send email' option, and then enter the email address you want it to email.

submit the form.

So every day at 6pm, it'll search for that 'source' value, just over that day's events. And if there are 0 events for that search, it'll email that email address.

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...