Re: Tracking if file size is 0 bytes 30 seconds af...

suhanrs · ‎08-01-2018

How to track if file size is 0 bytes 30 seconds after creation. Can anyone help me with this?

Thank you very much.

skoelpin · ‎08-01-2018

This can be done with some conditional logic.

This assumes you have a filed called Creation_time which is in seconds AND have a field called bytes

| eval Creation_time_plus_thirty='Creation_time'+30
| eval time_after_creation=if(_time>'Creation_time_plus_thirty',1,0)
| eval ALERT=if(time_after_creation=1 AND bytes=0,"ALERT","GOOD")
| search ALERT="ALERT"

suhanrs · ‎08-01-2018

Thank you for your help.
But what search command do I have to use to get the file size if there is no field called bytes?

skoelpin · ‎08-02-2018

How are you currently calculating bytes? Do you have a GB, MB, or KB field?

suhanrs · ‎08-02-2018

No, there is no any field called bytes but I need to monitor the file size of a particular path.

I have tried with fschange stanza in inputs but it throws an error;
FSChangeMonitor - Monitoring file or directory that doesn't exist at startup time

How can I solve this?

skoelpin · ‎08-03-2018

Then how do you plan on doing this if you aren't monitoring the byte size? You should strongly consider these details before asking questions on here and wasting time

Tracking if file size is 0 bytes 30 seconds after creation

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases