Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitoring Static file

aina_sloan
New Member
‎02-08-2018 04:19 PM

Hi there,

I am trying to monitor a file that doesn't change often - WebSphere nodeagent monitor.state file. I understand that the best and easiest option would be to use scripted input. However, the use of scripted input is not permitted on the client site. Can anyone please advise if there is another way to re-index a file that hasn't changed let's say once a week?

Tags (1)
0 Karma
Reply

aina_sloan
New Member
‎02-09-2018 10:31 AM

The solution that my colleague and I found at the end was to use scheduled search that runs on specified interval and outputs the results into a csv file. I can then use the csv file to create the necessary searches and build dashboard panels. This means that the results will not drop off the index, the retention policy doesn't need to be very long and the searches that are using the output from the lookup table doesn't need to be in a long time range. I guess the best solution in this use case is to use the scheduled search that writes to a lookup table. Although I agree that scripted input would have been the best solution if it would have been permitted. This is an isolated use case based on a particular organisational policies.

0 Karma
Reply

micahkemp
Champion
‎02-09-2018 10:33 AM

If your results are in a CSV, and you're using a scheduled search to get the results into the CSV, you don't need to monitor the CSV at all. You can just use | inputlookup <csv> every time you run a search instead.

0 Karma
Reply

micahkemp
Champion
‎02-09-2018 07:37 AM

This is definitely a non-standard use case. As @adonio mentioned, it may be worth reconsidering the value in indexing a file with no changes at an interval basis.

That said, would you be allowed to use a modular input with this client? It is technically a script, but so it a good portion of Splunk itself.

0 Karma
Reply

ansif
Motivator
‎02-09-2018 05:23 AM

Let me understand the question correctly,why cant you schedule interval in inputs.conf?

0 Karma
Reply

adonio
Ultra Champion
‎02-09-2018 05:29 AM

you can on a scripted input...
create a script that will read your file and index it again

0 Karma
Reply

aina_sloan
New Member
‎02-09-2018 10:23 AM

I am not allowed to use scripted input. Against company's policy

0 Karma
Reply

nabeel652
Builder
‎02-08-2018 04:47 PM

can you install Universal Forwarder on the system where that static file exists?

0 Karma
Reply

aina_sloan
New Member
‎02-08-2018 05:40 PM

Hi. Thank you for responding so promptly. The Universal Forwarder is installed on the server that contains this file in /opt directory . I have indexed the file. However, the issue is that this file may not change for a long time and splunk is monitoring the files for changes. What I am trying to achieve is to index the same file as per interval basis, which may be not possible.

0 Karma
Reply

adonio
Ultra Champion
‎02-09-2018 05:06 AM

if the file does not change, what is the use case of indexing it on an interval basis?

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...