Alerting

How to set up a real-time alert every time a keyword is found in a log file that is constantly updated?

tylerli800
Engager

Hi all,

I am new to splunk. I would like to set up real time updating on a log file, so that splunk can alert every time it finds a keyword in the log file. The log file is constantly being updated by an external source.

Tags (3)
0 Karma
1 Solution

chanfoli
Builder

So there are a few steps to get this done and it is not clear where you are in the process.

Is the log file in question already configured as a monitor input? If not, first you have to get the data into splunk and for that I would direct you here:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories

Once the data is in splunk you would want to run a search for the alert keyword to verify that it is only finding the expected results. This is as simple as logging into splunk and typing in the keyword and optionally picking a time range, since the default is "all-time"

Once you have confirmed that your search finds the expected results. I would go to Click "Save As->Alert" and set to real-time if you truly need real time alerts for this condition.

You will need to have email configured on your search head in order for email notifications to work. See the following page for more on this:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Alert/Setupalertactions

View solution in original post

chanfoli
Builder

So there are a few steps to get this done and it is not clear where you are in the process.

Is the log file in question already configured as a monitor input? If not, first you have to get the data into splunk and for that I would direct you here:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories

Once the data is in splunk you would want to run a search for the alert keyword to verify that it is only finding the expected results. This is as simple as logging into splunk and typing in the keyword and optionally picking a time range, since the default is "all-time"

Once you have confirmed that your search finds the expected results. I would go to Click "Save As->Alert" and set to real-time if you truly need real time alerts for this condition.

You will need to have email configured on your search head in order for email notifications to work. See the following page for more on this:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Alert/Setupalertactions

tylerli800
Engager

Hi chanfoli,

Thanks for the answer! I am currently trying to figure out how to monitor the log file. When I click "monitor", Splunk does not let me select a file from my log file repository.

0 Karma

chanfoli
Builder

Sorry I missed your comment, but if the files are external to the sandbox instance, the standard way of getting them monitored and indexed involves installing a universal forwarder on the machine where the logs are generated, or at least a machine that has access to them.

0 Karma

tylerli800
Engager

I am using Splunk 6.2 Sandbox

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...