Hi,
I have a CSV file where logs are stored if a user adds, creates, or delete files.
I wanted to set up an alert if someone deletes files. How can I do this?
Regards
Assuming that the field extraction is setup correctly, and the field Action contains a definite keyword if a delete action is performed, try something like this
index=foo sourcetype=bar Action="delete" | table _time ,Users, IP, "Connection type", "Access resources", Action
Run this search at the frequency that you need and set the time range to match the frequency (e.g. alert running every 15 minute and time range is set to last 15 min : -15m@m to @m).
What all fields are available in the csv file? Is it available as lookup table in Splunk OR you're monitoring the csv file to be stored in an index?
fields are: Time :Users:IP:Connection type:Access resources:Action
On the csv file there is continuously monitoring.