I am new to Splunk and need suggestion for creating the below alert in Splunk.
I need to create an alert which will check the log file last updated timestamp and if it is not updated for last ten minutes, then alert should be triggered.
Thanks in Advance. Hope this would be my kick start for the Splunk learning part.
A good kick start for learning Splunk is the free Splunk Fundamentals 1 course at splunk.com.
Splunk does not routinely index file update timestamps. It will have timestamps for each record read from the source, but not the file modification time. It may still work, however. Try this simple search
index=foo source=bar earliest=-10m
Have the alert trigger when the number of results is zero.
