https://community.splunk.com/t5/Splunk-Dev/Tracking-if-file-size-is-0-bytes-30-seconds-after-creation/m-p/381787#M6339 <P>Then how do you plan on doing this if you aren't monitoring the byte size? You should strongly consider these details before asking questions on here and wasting time</P> Fri, 03 Aug 2018 13:43:21 GMT skoelpin 2018-08-03T13:43:21Z https://community.splunk.com/t5/Splunk-Dev/Tracking-if-file-size-is-0-bytes-30-seconds-after-creation/m-p/381782#M6334 <P>How to track if file size is 0 bytes 30 seconds after creation. Can anyone help me with this?</P> <P>Thank you very much.</P> Wed, 01 Aug 2018 09:43:03 GMT https://community.splunk.com/t5/Splunk-Dev/Tracking-if-file-size-is-0-bytes-30-seconds-after-creation/m-p/381782#M6334 suhanrs 2018-08-01T09:43:03Z https://community.splunk.com/t5/Splunk-Dev/Tracking-if-file-size-is-0-bytes-30-seconds-after-creation/m-p/381783#M6335 <P>This can be done with some conditional logic. </P> <P>This assumes you have a filed called <CODE>Creation_time</CODE> which is in seconds AND have a field called <CODE>bytes</CODE></P> <PRE><CODE>| eval Creation_time_plus_thirty='Creation_time'+30 | eval time_after_creation=if(_time&gt;'Creation_time_plus_thirty',1,0) | eval ALERT=if(time_after_creation=1 AND bytes=0,"ALERT","GOOD") | search ALERT="ALERT" </CODE></PRE> Wed, 01 Aug 2018 15:27:50 GMT https://community.splunk.com/t5/Splunk-Dev/Tracking-if-file-size-is-0-bytes-30-seconds-after-creation/m-p/381783#M6335 skoelpin 2018-08-01T15:27:50Z https://community.splunk.com/t5/Splunk-Dev/Tracking-if-file-size-is-0-bytes-30-seconds-after-creation/m-p/381784#M6336 <P>Thank you for your help. <BR /> But what search command do I have to use to get the file size if there is no field called bytes?</P> Thu, 02 Aug 2018 03:01:22 GMT https://community.splunk.com/t5/Splunk-Dev/Tracking-if-file-size-is-0-bytes-30-seconds-after-creation/m-p/381784#M6336 suhanrs 2018-08-02T03:01:22Z https://community.splunk.com/t5/Splunk-Dev/Tracking-if-file-size-is-0-bytes-30-seconds-after-creation/m-p/381785#M6337 <P>How are you currently calculating bytes? Do you have a GB, MB, or KB field? </P> Thu, 02 Aug 2018 13:30:03 GMT https://community.splunk.com/t5/Splunk-Dev/Tracking-if-file-size-is-0-bytes-30-seconds-after-creation/m-p/381785#M6337 skoelpin 2018-08-02T13:30:03Z https://community.splunk.com/t5/Splunk-Dev/Tracking-if-file-size-is-0-bytes-30-seconds-after-creation/m-p/381786#M6338 <P>No, there is no any field called bytes but I need to monitor the file size of a particular path.</P> <P>I have tried with fschange stanza in inputs but it throws an error;<BR /> FSChangeMonitor - Monitoring file or directory that doesn't exist at startup time</P> <P>How can I solve this?</P> Fri, 03 Aug 2018 03:39:47 GMT https://community.splunk.com/t5/Splunk-Dev/Tracking-if-file-size-is-0-bytes-30-seconds-after-creation/m-p/381786#M6338 suhanrs 2018-08-03T03:39:47Z https://community.splunk.com/t5/Splunk-Dev/Tracking-if-file-size-is-0-bytes-30-seconds-after-creation/m-p/381787#M6339 <P>Then how do you plan on doing this if you aren't monitoring the byte size? You should strongly consider these details before asking questions on here and wasting time</P> Fri, 03 Aug 2018 13:43:21 GMT https://community.splunk.com/t5/Splunk-Dev/Tracking-if-file-size-is-0-bytes-30-seconds-after-creation/m-p/381787#M6339 skoelpin 2018-08-03T13:43:21Z