I am trying to monitor a folder and send alert notification. The idea of this task is to monitor the folder and check the files in the folder are getting processed then the files are moved to another application. The task is to send an alert for the files which take longer than period of time which I set up. Any suggestion will be helpful
I would probably write a scripted input that collected the names of the files in the folder (perhaps with additional information) on a regular schedule - maybe once a minute. Assume that I have a field named
filename and that I have placed the data in a sourcetype named
appMonitor. Finally, I want to report files that have been in the directory for more than 5 minutes (600 seconds).
sourcetype=appMonitor | stats range(_time) as timeInQueue by filename | where timeInQueue > 600
Save this search and set it to run every 10 minutes over the prior 10 minutes. Set it to alert when the number of results is > 0.
Obviously you can adjust time ranges, etc. from this example.
Thanks for the response.
I cannot collect the file names because they are changing all the times. So, I am just trying to monitor the folder without specifying any filenames.
I am trying to have kind of different configuration in order to monitor the folder but I don't have permission to do so. Is there another way to do it ? because when I try to add Data; I could not choose the folder I have to choose the file which I do not want to.
Any suggestion will be helpful
Okay, my solution requires that the scripted input collects the file name. So you need to write a script that Splunk runs. In your Add Data, you will specify that script. You will not specify either the folder name or the file names.
Of course, your script will have to read the names of the files in the folder. If your script can't get the file names, this solution will not work.