https://community.splunk.com/t5/Alerting/Alert-on-The-Creation-Of-New-Folders/m-p/77596#M12229 <P>Many thanks for your reply. As I am monitoring a folder for an application which has been installed on a Windows server, would you be able to confirm that I am updating the correct inputs.conf file to monitor for any changes.</P> <P>C:\Program Files\Splunk\etc\apps\launcher\local</P> <P>According to the document update the file in SPLUNK_HOME/etc/system/local/ When I open up this folder it only contains the name of the server.</P> Tue, 20 Sep 2011 15:12:40 GMT itsomana 2011-09-20T15:12:40Z https://community.splunk.com/t5/Alerting/Alert-on-The-Creation-Of-New-Folders/m-p/77594#M12227 <P>There is an application running on a server that when an error occurs it creates a new folder. file. I have splunk monitoring the root of the folder, however is there any way that I can get Splunk to alert me if a new folder is automatically created. I cannot monitor for the files in the new folder as the files are always different.</P> Mon, 19 Sep 2011 09:09:00 GMT https://community.splunk.com/t5/Alerting/Alert-on-The-Creation-Of-New-Folders/m-p/77594#M12227 itsomana 2011-09-19T09:09:00Z https://community.splunk.com/t5/Alerting/Alert-on-The-Creation-Of-New-Folders/m-p/77595#M12228 <P>You may want to consider using "fschange" instead of monitor. This will (1) give you a specific event when a new directory is created, and (2) this could be a more natural fit for one-time generated crash dump files. This means that splunk will perodically check for changed or new files, but it will not be polling as agressivly as it would with a standard "monitor" input.</P> <P>You can also have control over weather or not you want to actually index the entire file, or if you just want to see that one was created (all depending on your desired use.)</P> <P>I would suggest you start by reading the <A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorChangestoYourFileSystem">Monitor Changes to your file system</A> docs.</P> <HR /> <P>It would certainly be possible to look for the creation of new folders based on newly appearing sources in your index, but this would require (1) storing of state between your searches to know when something new appears, and (2) it would require some assumptions about the timestamps of your events and any indexing delays.... So yeah, it could be done, but I suspect that <CODE>fschange</CODE> will be a more straightforward solution.</P> Mon, 19 Sep 2011 14:34:54 GMT https://community.splunk.com/t5/Alerting/Alert-on-The-Creation-Of-New-Folders/m-p/77595#M12228 Lowell 2011-09-19T14:34:54Z https://community.splunk.com/t5/Alerting/Alert-on-The-Creation-Of-New-Folders/m-p/77596#M12229 <P>Many thanks for your reply. As I am monitoring a folder for an application which has been installed on a Windows server, would you be able to confirm that I am updating the correct inputs.conf file to monitor for any changes.</P> <P>C:\Program Files\Splunk\etc\apps\launcher\local</P> <P>According to the document update the file in SPLUNK_HOME/etc/system/local/ When I open up this folder it only contains the name of the server.</P> Tue, 20 Sep 2011 15:12:40 GMT https://community.splunk.com/t5/Alerting/Alert-on-The-Creation-Of-New-Folders/m-p/77596#M12229 itsomana 2011-09-20T15:12:40Z