|
Hi I've got files that I've got to read, and when there is a file with ERROR or WARNING in it, i've got to send an alert. Now my question is: is theire a possibility to read the content of a file? Thanks in advance |
|
I've found the problem !! When you go to the alert manager and click on edit search of the specific alert you'll get to SPLUNK>MANAGER>>SEARCHES AND REPORTS >> testname You look for: alert - condition and you choose with the drop down list 'if custom condition is met' and you put in the box below it 'search ERROR' save your settings and you'll be fine ;-) in either case, it works for me!!
can someone accept this answer, cause this post is answered ;-)
(22 Mar '11, 10:52)
bjornsplunk
|
|
This is basic functionality in Splunk - read the contents of a file and put it in an index. It might be a good idea to get to know Splunk a bit, for instance using the tutorial: http://www.splunk.com/base/Documentation/latest/User/WelcometotheSplunktutorial I'm not familiar with Splunk, because I started yesterday with it ;-) But can you put me in the right direction please? I don't know so good where to look for... thanks
(22 Mar '11, 08:03)
bjornsplunk
I think the best place to start is the tutorial that I linked to so you get an understanding of how Splunk works and what options you have for achieving things. Then after you've covered the basics and still have an issue with how to do something more specific, just put in a question and someone will surely answer it. Right now your question covers a very broad scope which makes it hard to answer without covering a lot of stuff that is better explained in the manuals anyway.
(22 Mar '11, 09:02)
Ayn
In the meantime I've practically figured it our ;-) thx. But now i've got an other question: When there is an ERROR in a file, I get an alert (which is good), but when i delete the ERROR in that specific file, i don't want to get an error anymore... but i still get the same error, even the error in the file is gone. So if i click VIEW RESULTS at the ALERT MANAGER i see all the errors that have occured in the past, but how do i delete these errors (i geuss that triggers the alert)?
(22 Mar '11, 09:14)
bjornsplunk
now i figured out how to delete those search result: -> source="filename" ERROR | delete so now the search result for ERROR in my file are gone, but i STILL get the same error... why is that??? There is NO error in the file, there are NO errors in the search results...
(22 Mar '11, 09:38)
bjornsplunk
|
|
try this in your search text box to see all lines/events with the word ERROR OR WARNING in: index=main (ERROR OR WARNING) ...this is assuming that you have used the default index, which is called main. If not just substitute 'main' for the name of your index.
(22 Mar '11, 09:28)
fox
if this works try this: index=main (ERROR OR WARNING) | timechart count by source Then select the 'show report' icon. This will give you the number of ERRORS OR WARNINGS over time per file, so that you can see the bad files from the good...
(22 Mar '11, 09:32)
fox
Yes, what you said works ;-) but the next problem is in the post above. if you know the answer, feel free to answer :p
(22 Mar '11, 09:39)
bjornsplunk
|
|
Re your alert results... I am not sure how you are deleting the warnings? The best way to run it is to run the search for the alert every 10 mins and make the search look back over 11 minutes (to be on the safe side) -11m . Now you will only see an alert for a warning that happened in the last 10 minutes and if you then enter a new file without errors, the alert will not return any results... hope this helps |
|
I figured out how to search in a file and how to delete the search history. So I get an error when I need to get one, but now i still get the same error over and over again even it isn't supposed to give me the alert this is what i put in the search field of the alert: source="C:\splunk\test_er.txt" ERROR does anyone have an idea what i'm doing wrong? |
|
I've found in another post that maybe throttling would work, i'm sure it will work, but it's not what i'm looking for. for example: i've got an alert running every 5 minutes
Everything works, except the last part, when i delete the ERROR in the log file, i still get the alert, so i looked further and there were still ERRORs in the SEARCH, so i deleted them, but i still get the alert even every ERROR is gone... Am I doint something wrong? Or am i missing something? Thx |