Archive

Alert on The Creation Of New Folders

Path Finder

There is an application running on a server that when an error occurs it creates a new folder. file. I have splunk monitoring the root of the folder, however is there any way that I can get Splunk to alert me if a new folder is automatically created. I cannot monitor for the files in the new folder as the files are always different.

Tags (1)
1 Solution

Super Champion

You may want to consider using "fschange" instead of monitor. This will (1) give you a specific event when a new directory is created, and (2) this could be a more natural fit for one-time generated crash dump files. This means that splunk will perodically check for changed or new files, but it will not be polling as agressivly as it would with a standard "monitor" input.

You can also have control over weather or not you want to actually index the entire file, or if you just want to see that one was created (all depending on your desired use.)

I would suggest you start by reading the Monitor Changes to your file system docs.


It would certainly be possible to look for the creation of new folders based on newly appearing sources in your index, but this would require (1) storing of state between your searches to know when something new appears, and (2) it would require some assumptions about the timestamps of your events and any indexing delays.... So yeah, it could be done, but I suspect that fschange will be a more straightforward solution.

View solution in original post

Path Finder

Many thanks for your reply. As I am monitoring a folder for an application which has been installed on a Windows server, would you be able to confirm that I am updating the correct inputs.conf file to monitor for any changes.

C:\Program Files\Splunk\etc\apps\launcher\local

According to the document update the file in SPLUNK_HOME/etc/system/local/ When I open up this folder it only contains the name of the server.

0 Karma

Super Champion

You may want to consider using "fschange" instead of monitor. This will (1) give you a specific event when a new directory is created, and (2) this could be a more natural fit for one-time generated crash dump files. This means that splunk will perodically check for changed or new files, but it will not be polling as agressivly as it would with a standard "monitor" input.

You can also have control over weather or not you want to actually index the entire file, or if you just want to see that one was created (all depending on your desired use.)

I would suggest you start by reading the Monitor Changes to your file system docs.


It would certainly be possible to look for the creation of new folders based on newly appearing sources in your index, but this would require (1) storing of state between your searches to know when something new appears, and (2) it would require some assumptions about the timestamps of your events and any indexing delays.... So yeah, it could be done, but I suspect that fschange will be a more straightforward solution.

View solution in original post