<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: File age/processing measurement in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/File-age-processing-measurement/m-p/106103#M22326</link>
    <description>&lt;P&gt;Use the fschange monitoring - it should work great, because this is exactly what it is designed to do! You can read up on it n the manuals, but you probably don't need any of the advanced options. Just do this&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[fschange:/xxx/yyy/pending]
pollPeriod=60
sourcetype=PendingFileMonitor
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;This will create an event every time a file is added, deleted or changed in the directory. The events are nicely formatted and have a field identifying the exact file name and what the change was. pollPeriod is how often Splunk should check the directory for changes (in seconds). Where I have specified &lt;CODE&gt;/xxx/yyy/pending&lt;/CODE&gt;, you should put the absolute path to the directory.&lt;/P&gt;</description>
    <pubDate>Mon, 29 Oct 2012 20:23:25 GMT</pubDate>
    <dc:creator>lguinn2</dc:creator>
    <dc:date>2012-10-29T20:23:25Z</dc:date>
    <item>
      <title>File age/processing measurement</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/File-age-processing-measurement/m-p/106102#M22325</link>
      <description>&lt;P&gt;Have a set of directories that act as "holding" or "pending" directories for file transfer.  Essentially we transfer the file and then put a copy  of it in the /pending/ directory awaiting the remote site to process and confirm.  This process and confirm can take between 10 minutes and 2 hours.  Once the files are processed and confirmed we remove the file from /pending and move it to /sent.&lt;/P&gt;

&lt;P&gt;What I want to do is to monitor the /pending directory.  Capture the file's initial receipt and track until it is removed.  I don't need to index the file, CRC the file, or any of that, I just need to say, "Hey! File xxxx.zip is here" and "Hey! File xxxx.zip is no longer here." so I can pull some metrics on how long the process takes as well as set up alerts for when it takes to long.&lt;/P&gt;

&lt;P&gt;Anyone done anything like this and have any suggestions?&lt;/P&gt;

&lt;P&gt;Thanks!&lt;/P&gt;</description>
      <pubDate>Mon, 29 Oct 2012 20:01:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/File-age-processing-measurement/m-p/106102#M22325</guid>
      <dc:creator>tyronetv</dc:creator>
      <dc:date>2012-10-29T20:01:33Z</dc:date>
    </item>
    <item>
      <title>Re: File age/processing measurement</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/File-age-processing-measurement/m-p/106103#M22326</link>
      <description>&lt;P&gt;Use the fschange monitoring - it should work great, because this is exactly what it is designed to do! You can read up on it n the manuals, but you probably don't need any of the advanced options. Just do this&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[fschange:/xxx/yyy/pending]
pollPeriod=60
sourcetype=PendingFileMonitor
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;This will create an event every time a file is added, deleted or changed in the directory. The events are nicely formatted and have a field identifying the exact file name and what the change was. pollPeriod is how often Splunk should check the directory for changes (in seconds). Where I have specified &lt;CODE&gt;/xxx/yyy/pending&lt;/CODE&gt;, you should put the absolute path to the directory.&lt;/P&gt;</description>
      <pubDate>Mon, 29 Oct 2012 20:23:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/File-age-processing-measurement/m-p/106103#M22326</guid>
      <dc:creator>lguinn2</dc:creator>
      <dc:date>2012-10-29T20:23:25Z</dc:date>
    </item>
    <item>
      <title>Re: File age/processing measurement</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/File-age-processing-measurement/m-p/106104#M22327</link>
      <description>&lt;P&gt;Keep in mind you cannot simultaneously watch a directory using both fschange monitor and monitor. Also depending on how many files are in your directory and sub-dirs(if recursive is enabled) CPU of your host system could be impacted. In the event that occurs look at adding the following settings to fschange stanza; filesPerDelay and delayInMills .&lt;/P&gt;</description>
      <pubDate>Mon, 29 Oct 2012 22:02:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/File-age-processing-measurement/m-p/106104#M22327</guid>
      <dc:creator>bmacias84</dc:creator>
      <dc:date>2012-10-29T22:02:02Z</dc:date>
    </item>
    <item>
      <title>Re: File age/processing measurement</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/File-age-processing-measurement/m-p/106105#M22328</link>
      <description>&lt;P&gt;With fschange being phased out (via my Splunk&amp;gt; 5.0 notes) I wonder how much longer this will be valid.&lt;/P&gt;</description>
      <pubDate>Thu, 01 Nov 2012 18:59:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/File-age-processing-measurement/m-p/106105#M22328</guid>
      <dc:creator>tyronetv</dc:creator>
      <dc:date>2012-11-01T18:59:51Z</dc:date>
    </item>
    <item>
      <title>Re: File age/processing measurement</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/File-age-processing-measurement/m-p/106106#M22329</link>
      <description>&lt;P&gt;Good point about the phase-out, but my &lt;EM&gt;guess&lt;/EM&gt; is that it will be at least a year. That's an absolute SWAG, based on how often major updates have occurred in the past. I am hoping (again, no data here) that there will be a good replacement for this functionality by then.  See &lt;A href="http://splunk-base.splunk.com/answers/63874/why-is-fschange-a-deprecated-feature-in-splunk-50"&gt;http://splunk-base.splunk.com/answers/63874/why-is-fschange-a-deprecated-feature-in-splunk-50&lt;/A&gt; for more info&lt;/P&gt;</description>
      <pubDate>Fri, 02 Nov 2012 15:18:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/File-age-processing-measurement/m-p/106106#M22329</guid>
      <dc:creator>lguinn2</dc:creator>
      <dc:date>2012-11-02T15:18:37Z</dc:date>
    </item>
  </channel>
</rss>

