So there are a few steps to get this done and it is not clear where you are in the process.
Is the log file in question already configured as a monitor input? If not, first you have to get the data into splunk and for that I would direct you here:
http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories
Once the data is in splunk you would want to run a search for the alert keyword to verify that it is only finding the expected results. This is as simple as logging into splunk and typing in the keyword and optionally picking a time range, since the default is "all-time"
Once you have confirmed that your search finds the expected results. I would go to Click "Save As->Alert" and set to real-time if you truly need real time alerts for this condition.
You will need to have email configured on your search head in order for email notifications to work. See the following page for more on this:
http://docs.splunk.com/Documentation/Splunk/6.2.1/Alert/Setupalertactions
So there are a few steps to get this done and it is not clear where you are in the process.
Is the log file in question already configured as a monitor input? If not, first you have to get the data into splunk and for that I would direct you here:
http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories
Once the data is in splunk you would want to run a search for the alert keyword to verify that it is only finding the expected results. This is as simple as logging into splunk and typing in the keyword and optionally picking a time range, since the default is "all-time"
Once you have confirmed that your search finds the expected results. I would go to Click "Save As->Alert" and set to real-time if you truly need real time alerts for this condition.
You will need to have email configured on your search head in order for email notifications to work. See the following page for more on this:
http://docs.splunk.com/Documentation/Splunk/6.2.1/Alert/Setupalertactions
Hi chanfoli,
Thanks for the answer! I am currently trying to figure out how to monitor the log file. When I click "monitor", Splunk does not let me select a file from my log file repository.
Sorry I missed your comment, but if the files are external to the sandbox instance, the standard way of getting them monitored and indexed involves installing a universal forwarder on the machine where the logs are generated, or at least a machine that has access to them.
I am using Splunk 6.2 Sandbox