Getting Data In

tuning of file monitoring

vinchakov_a
Path Finder

Good afternoon, I try monitoring of files. Version of Splunk is 6 . I faced unclear problems for me:
1) How to monitor new files and deleting files?
2) I created the filter but it doesn't work?
3) How to switch off actuating on change of time of the file?

[filter:blacklist:ignore_logs]
regex1 = *.log$
regex2 = *.LOG$

[fschange:C:\Windows\System32]
pollPeriod = 360
filter = ignore_logs
signedaudit = false
hashMaxSize = 10240
recurse = true
followLinks = true
fullEvent = true
sendEventMaxSize = -1
filesPerDelay = 100
delayInMills = 100

And it permanently repeats in logs:

Tue Mar 18 11:32:45 2014 action=update, path="C:\Windows\System32\config\SYSTEM.LOG1", isdir=0, size=262144, gid=-1, uid=-1, modtime="Tue Mar 18 11:28:59 2014", mode="rwxrwxrwx", hash=, chgs="modtime "
Tue Mar 18 11:32:45 2014 action=update, path="C:\Windows\System32\config\SYSTEM", isdir=0, size=13631488, gid=-1, uid=-1, modtime="Tue Mar 18 11:28:59 2014", mode="rwxrwxrwx", hash=, chgs="modtime "
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi vinchakov_a,

let me try to answer this:

1) How to monitor new files and deleting files?

this can be done by using the batch input like this

[batch://<path>]
* One time, destructive input of files in <path>.

2) I created the filter but it doesn't work?

Your regex *.log$ or *.LOG$ do not match the file "C:\Windows\System32\config\SYSTEM.LOG1" because you are searching for files containing a literal * and ending with either .log or .LOG. Try to use some thing like this to match also logs containing numbers

regex1 = .log(\d+)
regex2 = .LOG(\d+)

3) How to switch off actuating on change of time of the file?

I don't fully understand what you mean, so I will not provide an answer....

hope this helps ...

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

good one, but remember it will be a lower s

0 Karma

vinchakov_a
Path Finder

I found mistake:
filterS = ignore_logs

0 Karma

MuS
SplunkTrust
SplunkTrust

you can try .log or .LOG as well

0 Karma

vinchakov_a
Path Finder

Regex not work...

0 Karma

vinchakov_a
Path Finder

Thanks, I will try your regex. But I think batch it not that it is necessary for me. It is necessary for me that splunk reported when in the folder there is a new file or the old is deleted.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...