I am new to Splunk and want to know the steps how can I add an alert in Manager<< Data & Reports<< new ,in order to search a log file for a particular day preferably (if i search on 27-feb the it should search logfile for 27-feb(same day) only) and in case if the log file does not exist then the alert is to be created and an email has to be send.The log files are available in Manager << Data Input<
Please tell me steps how can i proceed on this?
Well, in the main search ui, set the TimeRangePicker to 'Today', by going to "Other" >> "Today"
Then search for the file in question, probably with source="<your logfile name>"
Then in the Actions
menu, select save search
a little modal popup layer will open. Scroll down a little and you'll see a checkbox for Schedule this search
. Check that.
A few more fields will open up.
Set 'run every' to something sensible, perhaps 'every day at 6pm'. Or you can enter a custom cron string. (I might avoid setting it to 'every day at midnight', because the 'today' timerange might get interpreted as 'tomororow' if you follow what I'm saying. But you can test this for yourself)
In the Perform actions
section, change it from always
to if number of events
. From this point it'll be clear how you can make the alert trigger if the number of events is zero.
check the 'send email' option, and then enter the email address you want it to email.
submit the form.
So every day at 6pm, it'll search for that 'source' value, just over that day's events. And if there are 0 events for that search, it'll email that email address.