Getting Data In

tuning of file monitoring

vinchakov_a
Path Finder

Good afternoon, I try monitoring of files. Version of Splunk is 6 . I faced unclear problems for me:
1) How to monitor new files and deleting files?
2) I created the filter but it doesn't work?
3) How to switch off actuating on change of time of the file?

[filter:blacklist:ignore_logs]
regex1 = *.log$
regex2 = *.LOG$

[fschange:C:\Windows\System32]
pollPeriod = 360
filter = ignore_logs
signedaudit = false
hashMaxSize = 10240
recurse = true
followLinks = true
fullEvent = true
sendEventMaxSize = -1
filesPerDelay = 100
delayInMills = 100

And it permanently repeats in logs:

Tue Mar 18 11:32:45 2014 action=update, path="C:\Windows\System32\config\SYSTEM.LOG1", isdir=0, size=262144, gid=-1, uid=-1, modtime="Tue Mar 18 11:28:59 2014", mode="rwxrwxrwx", hash=, chgs="modtime "
Tue Mar 18 11:32:45 2014 action=update, path="C:\Windows\System32\config\SYSTEM", isdir=0, size=13631488, gid=-1, uid=-1, modtime="Tue Mar 18 11:28:59 2014", mode="rwxrwxrwx", hash=, chgs="modtime "
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi vinchakov_a,

let me try to answer this:

1) How to monitor new files and deleting files?

this can be done by using the batch input like this

[batch://<path>]
* One time, destructive input of files in <path>.

2) I created the filter but it doesn't work?

Your regex *.log$ or *.LOG$ do not match the file "C:\Windows\System32\config\SYSTEM.LOG1" because you are searching for files containing a literal * and ending with either .log or .LOG. Try to use some thing like this to match also logs containing numbers

regex1 = .log(\d+)
regex2 = .LOG(\d+)

3) How to switch off actuating on change of time of the file?

I don't fully understand what you mean, so I will not provide an answer....

hope this helps ...

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

good one, but remember it will be a lower s

0 Karma

vinchakov_a
Path Finder

I found mistake:
filterS = ignore_logs

0 Karma

MuS
SplunkTrust
SplunkTrust

you can try .log or .LOG as well

0 Karma

vinchakov_a
Path Finder

Regex not work...

0 Karma

vinchakov_a
Path Finder

Thanks, I will try your regex. But I think batch it not that it is necessary for me. It is necessary for me that splunk reported when in the folder there is a new file or the old is deleted.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...