I'm trying to write a Splunk query where it searches for a file called hello.imp from a log file and returns with a output if the file size is below 10 bytes. I have the index and log location but unable to find the exact query. Please help me out in a writing a query and creating an alert out of it.
Asked
Active
Viewed 313 times
0
-
Why would a filename be in a logfile? – warren Mar 30 '22 at 18:54
1 Answers
0
You can get the size of a source file by adding up the sizes of each event within that file. Like this:
index=foo source=bar
| eval size=len(_raw)
| stats sum(size) as TotalSize
RichG
- 9,063
- 2
- 18
- 29
-
I'd *think* `_raw` would be bigger than 10 bytes just due to event overhead. Can't recall ever seeing an event *less* than ~30 bytes, personally – warren Mar 30 '22 at 14:27
-
Good point, I suppose it depends on the sourcetype's DATETIME_CONFIG setting. It may be necessary to subtract the timestamp from the size of each event. – RichG Mar 30 '22 at 14:31