Alerting

create alert to monitor the update of a file

SplunkCSIT
Communicator

Hi,
I need to monitor the file last modified date, trigger an alert when there is no change in the last modified date of the file for more than 8mins, what will be the config like? thks

Tags (3)
0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Think of it this way...

Your search must produce a value to test.
So you compare the last modified date to the current date, and if they're the same, you have no change.
in terms of Splunk that would be where you create a field via eval, use an if statement and set a flag, ie if it's the same set a 1 if not a 0. Then you're going to sum those flags.
You'll run the search with earliest=-8m and perhaps latest=now
Your alert will run, say every 9 minutes and trigger if the search produces a number > 1

you could get pretty sophisticated if you used streamstats, which allows you to sort of "walk" through the events and pick the ones you want to compare to each other... but that's probably for later.

If you want more detail, you can provide us with an example of an event and the search you're working on to produce your alert trigger...

Perhaps you want to take a look at the Alerting Recipes section of David Carasso's Book Exploring Splunk. It's a free book. That discusses converting monitors to alerts and might help you see the right angles.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...