I want to monitor only files that are 3 hours old in a particular directory and DON'T want to index content of the files. Also, monitor the size of the files.
I want to set up alert for files in a directory that are more than 3 hour old and with size more than 200KB. Please let me know the possibilities.
Create a scripted input that lists the directory contents periodically and index the output. Run your search against that data, which contains both the last modified date as well as the file size. On Linux,
ls -lh would do that. You can get fancier and write a script that processes the output into key/value pairs, which will make searching it in Splunk a tad bit easier.
Here is the thing, I have all the files in forwarder location and want to monitor when the file was created and how long its sitting in the directory.
ls -ltr output --don't want to index the content in the files.
Please let me know how to index the files names and details(ls -lh) details in to splunk,
Pipe the output of those commands into a file that Splunk monitors.
ls -lh >> indexThisFile.log
I'd recommend massaging the output so that it is easily searched as suggested by @ssivert