Dear All,

I monitoring one folder in that folder xml file get created at certain time and it get deleted at certain time so i need to minitor if the file any xml file stay more than 5 min in folder then we need to fire a alert.

here is my search query

index=test sourcetype=fschangeevents | head 1 | eval newtime=now()-_time | table path,newtime | where newtime>300

this will give me recent one event and check if that event is duration is more than 5 min st that moment. but here there is one problem event might be deleted also added also

I Have modified my search because there might be more than one file in folder so cant use head 1 here so i need to monitor each and every file

here it is but still facing a problem not able to calculate the time difference

index=test sourcetype=fschangeevents | stats values(_time) as intime, count(_time) as totatation by path | convert ctime(intime) | where totatation < 2 | eval newtime=now()-intime| table path,intime,totatation,newtime

my query is running good but its not printing newtime could anyone please help me here

Thanks

Gajanan Hiroji