Alerting

Alert on The Creation Of New Folders

itsomana
Path Finder

There is an application running on a server that when an error occurs it creates a new folder. file. I have splunk monitoring the root of the folder, however is there any way that I can get Splunk to alert me if a new folder is automatically created. I cannot monitor for the files in the new folder as the files are always different.

Tags (1)
1 Solution

Lowell
Super Champion

You may want to consider using "fschange" instead of monitor. This will (1) give you a specific event when a new directory is created, and (2) this could be a more natural fit for one-time generated crash dump files. This means that splunk will perodically check for changed or new files, but it will not be polling as agressivly as it would with a standard "monitor" input.

You can also have control over weather or not you want to actually index the entire file, or if you just want to see that one was created (all depending on your desired use.)

I would suggest you start by reading the Monitor Changes to your file system docs.


It would certainly be possible to look for the creation of new folders based on newly appearing sources in your index, but this would require (1) storing of state between your searches to know when something new appears, and (2) it would require some assumptions about the timestamps of your events and any indexing delays.... So yeah, it could be done, but I suspect that fschange will be a more straightforward solution.

View solution in original post

itsomana
Path Finder

Many thanks for your reply. As I am monitoring a folder for an application which has been installed on a Windows server, would you be able to confirm that I am updating the correct inputs.conf file to monitor for any changes.

C:\Program Files\Splunk\etc\apps\launcher\local

According to the document update the file in SPLUNK_HOME/etc/system/local/ When I open up this folder it only contains the name of the server.

0 Karma

Lowell
Super Champion

You may want to consider using "fschange" instead of monitor. This will (1) give you a specific event when a new directory is created, and (2) this could be a more natural fit for one-time generated crash dump files. This means that splunk will perodically check for changed or new files, but it will not be polling as agressivly as it would with a standard "monitor" input.

You can also have control over weather or not you want to actually index the entire file, or if you just want to see that one was created (all depending on your desired use.)

I would suggest you start by reading the Monitor Changes to your file system docs.


It would certainly be possible to look for the creation of new folders based on newly appearing sources in your index, but this would require (1) storing of state between your searches to know when something new appears, and (2) it would require some assumptions about the timestamps of your events and any indexing delays.... So yeah, it could be done, but I suspect that fschange will be a more straightforward solution.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...