Hi, I'm trying to monitor new syslog events and send email when seeing new log entries. I tried to schedule search like following every 5 mins:
* | eval interval = now() - _indextime | search interval <= 300
But seems to be clumsy. Is there any better and more accurate way to do so? thanks a lot.
Yeah, that's indeed quite cumbersome. Take a look at this: http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/SearchTimeModifiers#List_of_time_m...
You'll find the regular time modifiers earliest
and latest
that look at the _time
field... but also the _index_earliest
and _index_latest
modifiers that look at the _indextime
field!
Using that, you can run this search over all time every five minutes:
index=* _index_earliest=-6m@m _index_latest=-m@m
Note, it's good practice to introduce a small delay in your scheduled search. Say it runs at 13:05:00 - an event being indexed at 13:04:59.999 may not be available yet. That mostly applies to the regular time range looking at _time
, but might also have some small use for _indextime
. Depending on your environment you can of course tune that minute of delay to whatever value works for you.
Yeah, that's indeed quite cumbersome. Take a look at this: http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/SearchTimeModifiers#List_of_time_m...
You'll find the regular time modifiers earliest
and latest
that look at the _time
field... but also the _index_earliest
and _index_latest
modifiers that look at the _indextime
field!
Using that, you can run this search over all time every five minutes:
index=* _index_earliest=-6m@m _index_latest=-m@m
Note, it's good practice to introduce a small delay in your scheduled search. Say it runs at 13:05:00 - an event being indexed at 13:04:59.999 may not be available yet. That mostly applies to the regular time range looking at _time
, but might also have some small use for _indextime
. Depending on your environment you can of course tune that minute of delay to whatever value works for you.
Don't forget to mark this as solved.
Hi, thank you very much for your help.
/st