You could also add a scripted input that periodically checks the age of the lookup files and index the results with Splunk. It should be fairly easy to create a search that produces gauges for the ages of the files. Here's an example scripted input (in python):
#!/usr/bin/python
import sys,os,datetime,time
FILES_TO_CHECK = [("search","lookup1.csv"),("mcafee_epo","av_threat_types.csv")]
for app,filename in FILES_TO_CHECK:
p = os.path.join(os.environ['SPLUNK_HOME'],'etc','apps', app, 'lookups',filename)
if os.path.exists(p):
age = time.time() - os.stat(p).st_mtime
print "%s Lookup file=%s in app=%s age=%d seconds" % (datetime.datetime.now(),filename,app,int(age))
else:
print >>sys.stderr,"Lookup file %s not found (%s)" % (filename, p)
and another example that simply fetch the age for all lookup files:
#!/usr/bin/python
import sys,os,datetime,time
apps = os.path.join(os.environ['SPLUNK_HOME'],'etc','apps')
for sub in os.listdir(apps):
lookupsDir = os.path.join(apps,sub,"lookups")
if os.path.exists(lookupsDir):
for f in os.listdir(lookupsDir):
if f.endswith(".csv"):
p = os.path.join(lookupsDir, f)
age = time.time() - os.stat(p).st_mtime
print "%s Lookup file=%s in app=%s has not been modified in age=%d seconds" % (datetime.datetime.now(),f,sub,int(age))
... View more