Solved: Re: Find files that are not being accessed

christopher_hod · ‎07-19-2012

The scenario:
I have a scripted input that gives me a list of files in a directory. On a regular basis I want to run a search that will see how many times each of those has been served by the webserver. I also want to include in the report any files that have not been hit in the report.

Assume the subsearch for the list of files is just:

[search sourcetype=dirlist | fields filename ]

And that it's searching against normal apache access logs.

dwaddle · ‎07-19-2012

Maybe something like:

sourcetype=access_combined [ search sourcetype=dirlist | fields filename ]
| stats count as hitcount by filename
| append [ search sourcetype=dirlist | fields filename | eval hitcount=0 ]
| stats max(hitcount) by filename

View solution in original post

dwaddle · ‎07-19-2012

Maybe something like:

sourcetype=access_combined [ search sourcetype=dirlist | fields filename ]
| stats count as hitcount by filename
| append [ search sourcetype=dirlist | fields filename | eval hitcount=0 ]
| stats max(hitcount) by filename

Find files that are not being accessed

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation