Hi,
I want to setup an alert in SPLUNK where it gives me an alarm when there is no log for 15 mins.
Please guide me
Thanks
DJ
First, you should take a look at http://docs.splunk.com/Documentation/Splunk/5.0.3/Alert/Aboutalerts
After that, define a search that looks for your logs - maybe something like this:
index=foo sourcetype=bar field=baz | stats count
Create an alert for that, scheduled to run every fifteen minutes over a fifteen minute timerange, triggered if count is zero. If you're confident to have delays less than five minutes your timerange could be -5m to -20m, and your cron schedule could be */15 * * * *.
Can I search for multiple log files, and group by each file, then alert if either one of the files don't update?
Hi
here is slack bot's collection of instructions:
There are a lot of options for finding hosts or sources that stop submitting events:
Meta Woot! https://splunkbase.splunk.com/app/2949/
TrackMe https://splunkbase.splunk.com/app/4621/
Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/
Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...Some helpful posts:
https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe
https://www.duanewaddle.com/proving-a-negative/