Alerting

Scheduled search syntax to monitor syslog events and alert for new log entries

stwong
Communicator

Hi, I'm trying to monitor new syslog events and send email when seeing new log entries. I tried to schedule search like following every 5 mins:

 * | eval interval = now() - _indextime |  search interval <= 300

But seems to be clumsy. Is there any better and more accurate way to do so? thanks a lot.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Yeah, that's indeed quite cumbersome. Take a look at this: http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/SearchTimeModifiers#List_of_time_m...

You'll find the regular time modifiers earliest and latest that look at the _time field... but also the _index_earliest and _index_latest modifiers that look at the _indextime field!

Using that, you can run this search over all time every five minutes:

index=* _index_earliest=-6m@m _index_latest=-m@m

Note, it's good practice to introduce a small delay in your scheduled search. Say it runs at 13:05:00 - an event being indexed at 13:04:59.999 may not be available yet. That mostly applies to the regular time range looking at _time, but might also have some small use for _indextime. Depending on your environment you can of course tune that minute of delay to whatever value works for you.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Yeah, that's indeed quite cumbersome. Take a look at this: http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/SearchTimeModifiers#List_of_time_m...

You'll find the regular time modifiers earliest and latest that look at the _time field... but also the _index_earliest and _index_latest modifiers that look at the _indextime field!

Using that, you can run this search over all time every five minutes:

index=* _index_earliest=-6m@m _index_latest=-m@m

Note, it's good practice to introduce a small delay in your scheduled search. Say it runs at 13:05:00 - an event being indexed at 13:04:59.999 may not be available yet. That mostly applies to the regular time range looking at _time, but might also have some small use for _indextime. Depending on your environment you can of course tune that minute of delay to whatever value works for you.

martin_mueller
SplunkTrust
SplunkTrust

Don't forget to mark this as solved.

0 Karma

stwong
Communicator

Hi, thank you very much for your help.

/st

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...