Alerting

Alert on The Creation Of New Folders

itsomana
Path Finder

There is an application running on a server that when an error occurs it creates a new folder. file. I have splunk monitoring the root of the folder, however is there any way that I can get Splunk to alert me if a new folder is automatically created. I cannot monitor for the files in the new folder as the files are always different.

Tags (1)
1 Solution

Lowell
Super Champion

You may want to consider using "fschange" instead of monitor. This will (1) give you a specific event when a new directory is created, and (2) this could be a more natural fit for one-time generated crash dump files. This means that splunk will perodically check for changed or new files, but it will not be polling as agressivly as it would with a standard "monitor" input.

You can also have control over weather or not you want to actually index the entire file, or if you just want to see that one was created (all depending on your desired use.)

I would suggest you start by reading the Monitor Changes to your file system docs.


It would certainly be possible to look for the creation of new folders based on newly appearing sources in your index, but this would require (1) storing of state between your searches to know when something new appears, and (2) it would require some assumptions about the timestamps of your events and any indexing delays.... So yeah, it could be done, but I suspect that fschange will be a more straightforward solution.

View solution in original post

itsomana
Path Finder

Many thanks for your reply. As I am monitoring a folder for an application which has been installed on a Windows server, would you be able to confirm that I am updating the correct inputs.conf file to monitor for any changes.

C:\Program Files\Splunk\etc\apps\launcher\local

According to the document update the file in SPLUNK_HOME/etc/system/local/ When I open up this folder it only contains the name of the server.

0 Karma

Lowell
Super Champion

You may want to consider using "fschange" instead of monitor. This will (1) give you a specific event when a new directory is created, and (2) this could be a more natural fit for one-time generated crash dump files. This means that splunk will perodically check for changed or new files, but it will not be polling as agressivly as it would with a standard "monitor" input.

You can also have control over weather or not you want to actually index the entire file, or if you just want to see that one was created (all depending on your desired use.)

I would suggest you start by reading the Monitor Changes to your file system docs.


It would certainly be possible to look for the creation of new folders based on newly appearing sources in your index, but this would require (1) storing of state between your searches to know when something new appears, and (2) it would require some assumptions about the timestamps of your events and any indexing delays.... So yeah, it could be done, but I suspect that fschange will be a more straightforward solution.

Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...