https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408639#M117975 <P>Hi HiroshiSatoh,</P> <P>Reading the inputs.conf documentation it seems the "fschange" is deprecated since version 5.0<BR /> I will probably go with a UNIX script that works in that way:</P> <OL> <LI><P>Find all the files in folder A that:<BR /> are not older than 1 day<BR /> are closed<BR /> have a size lower than 10MB</P></LI> <LI><P>based on the files found at point 1, generate symbolic links in folder B</P></LI> <LI><P>Monitor with Splunk the symbolic links in folder B</P></LI> <LI><P>Cancel symbolic links older than 2 days</P></LI> </OL> <P>Best Regards,<BR /> Edoardo</P> Tue, 26 Jun 2018 12:25:57 GMT edoardo_vicendo 2018-06-26T12:25:57Z https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408634#M117970 <P>Hi All,</P> <P>I have to monitor a folder where there are very huge files with file name automatically generated.<BR /> Is there some way (instead of write a custom UNIX script that moves only small files to another folder that will be then monitored by the forwarder) to blacklist files that have a size greater than (suppose) 10 MB?</P> <P>Any other suggestion with Splunk stanza attributes is appreciated.</P> <P>Thanks a lot,<BR /> Edoardo</P> Mon, 25 Jun 2018 14:43:25 GMT https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408634#M117970 edoardo_vicendo 2018-06-25T14:43:25Z https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408635#M117971 <P>hello there,<BR /> if the files have some naming convention you can follow, you can apply rules based on their name.</P> Mon, 25 Jun 2018 23:44:09 GMT https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408635#M117971 adonio 2018-06-25T23:44:09Z https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408636#M117972 <P>It can not be executed because there is no size limit parameter in "monitor".<BR /> If it is "fschange", it may be restricted by "endEventMaxSize". However, it captures the entire file, not differential import.</P> Tue, 26 Jun 2018 01:10:24 GMT https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408636#M117972 HiroshiSatoh 2018-06-26T01:10:24Z https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408637#M117973 <P>Hi Adonio,</P> <P>Unfortunately there is no logic in the file name.</P> <P>Thanks a lot,<BR /> Edoardo</P> Tue, 26 Jun 2018 11:57:14 GMT https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408637#M117973 edoardo_vicendo 2018-06-26T11:57:14Z https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408638#M117974 <P>@HiroshiSatoh has the right answer imho</P> Tue, 26 Jun 2018 12:16:34 GMT https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408638#M117974 adonio 2018-06-26T12:16:34Z https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408639#M117975 <P>Hi HiroshiSatoh,</P> <P>Reading the inputs.conf documentation it seems the "fschange" is deprecated since version 5.0<BR /> I will probably go with a UNIX script that works in that way:</P> <OL> <LI><P>Find all the files in folder A that:<BR /> are not older than 1 day<BR /> are closed<BR /> have a size lower than 10MB</P></LI> <LI><P>based on the files found at point 1, generate symbolic links in folder B</P></LI> <LI><P>Monitor with Splunk the symbolic links in folder B</P></LI> <LI><P>Cancel symbolic links older than 2 days</P></LI> </OL> <P>Best Regards,<BR /> Edoardo</P> Tue, 26 Jun 2018 12:25:57 GMT https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408639#M117975 edoardo_vicendo 2018-06-26T12:25:57Z https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408640#M117976 <P>fschange has not been deleted yet. It is convenient so I am using it now.</P> Tue, 26 Jun 2018 12:46:12 GMT https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408640#M117976 HiroshiSatoh 2018-06-26T12:46:12Z https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408641#M117977 <P>i recommend not to use symbolic link, splunk is not always good in understanding it with the monitor stanza<BR /> better find files matching criteria - &gt; copy to a new directory -&gt; monitor that directory</P> Tue, 26 Jun 2018 13:44:29 GMT https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408641#M117977 adonio 2018-06-26T13:44:29Z https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408642#M117978 <P>Hi All,</P> <P>At the end I went with a UNIX script that works in that way:</P> <P>Find all the files in folder A that:</P> <UL> <LI>are not older than 5 minutes (see find with -mtime) </LI> <LI>are closed</LI> <LI>have a size lower than 16KB (that in my case means around 400 lines)</LI> </UL> <P>Those files will be then copied in the folder moniterd in batch mode by the forwarder.<BR /> For the files greater than 16KB I have done a head -200 and tail -200 and copied as well with the same original file name in the folder moniterd in batch mode by the forwarder.</P> <P>Thanks to all for your suggestions!</P> <P>Best Regards,<BR /> Edoardo</P> Mon, 05 Nov 2018 17:24:24 GMT https://community.splunk.com/t5/Splunk-Search/Blacklist-files-greater-than-a-certain-size-from-inputs-conf/m-p/408642#M117978 edoardo_vicendo 2018-11-05T17:24:24Z