Execute a script when a file is uploaded

guidovicino · ‎03-20-2013

Hi,

we need to trigger a script that makes an SQL insert and this script needs to be triggered when a file is loaded inside Spunk, ie:

An external job create a log file: /upload_dir/foo_20130320_20.dat
Splunk read and store the /upload_dir/foo_20130320_20.dat
Splunk delete the /upload_dir/foo_20130320_20.dat after the loading
An alert is triggered and a script executed.

Thanks and best regards,
Guido.

guidovicino · ‎03-21-2013

@martin_mueller

Thank you for the answer but I do not understand what you mean with "LicenseUsage". I've worked with other SIEM products but I'm a Splunk newbie.

I thought to exploit the real-time search in the following manner. If I insert a bait with a string appended to the file like this:

SIEM\_SOME\_UNIQUEID\_END\_OF\_LOG\_filename\_date\_time.dat

and define an alert that runs the script when I find a record with this string and triggers the execution of a script by using the following features:

http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Monitorfilesanddirectories

What do you think?

martin_mueller · ‎03-20-2013

Detecting the deletion may be hard to do, however you can try fiddling with Metrics and LicenseUsage from _internal for sources that match your upload dir. Those may or may not approximate what you need.

Execute a script when a file is uploaded

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life