How to monitor a directory without indexing file c...

sathiyasun · ‎03-02-2016

I want to monitor only files that are 3 hours old in a particular directory and DON'T want to index content of the files. Also, monitor the size of the files.

I want to set up alert for files in a directory that are more than 3 hour old and with size more than 200KB. Please let me know the possibilities.

s2_splunk · ‎03-02-2016

Create a scripted input that lists the directory contents periodically and index the output. Run your search against that data, which contains both the last modified date as well as the file size. On Linux, ls -lh would do that. You can get fancier and write a script that processes the output into key/value pairs, which will make searching it in Splunk a tad bit easier.

sathiyasun · ‎03-03-2016

Here is the thing, I have all the files in forwarder location and want to monitor when the file was created and how long its sitting in the directory.

ls -ltr output --don't want to index the content in the files.

Please let me know how to index the files names and details(ls -lh) details in to splunk,

dflodstrom · ‎03-03-2016

Pipe the output of those commands into a file that Splunk monitors.

ls -lh >> indexThisFile.log

I'd recommend massaging the output so that it is easily searched as suggested by @ssivert

How to monitor a directory without indexing file contents and alert when files in the directory are 3 hours hold and greater than 200KB?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life