Solved: Re: Find files that are not being accessed

christopher_hod · ‎07-19-2012

The scenario:
I have a scripted input that gives me a list of files in a directory. On a regular basis I want to run a search that will see how many times each of those has been served by the webserver. I also want to include in the report any files that have not been hit in the report.

Assume the subsearch for the list of files is just:

[search sourcetype=dirlist | fields filename ]

And that it's searching against normal apache access logs.

dwaddle · ‎07-19-2012

Maybe something like:

sourcetype=access_combined [ search sourcetype=dirlist | fields filename ]
| stats count as hitcount by filename
| append [ search sourcetype=dirlist | fields filename | eval hitcount=0 ]
| stats max(hitcount) by filename

View solution in original post

dwaddle · ‎07-19-2012

Maybe something like:

sourcetype=access_combined [ search sourcetype=dirlist | fields filename ]
| stats count as hitcount by filename
| append [ search sourcetype=dirlist | fields filename | eval hitcount=0 ]
| stats max(hitcount) by filename

Find files that are not being accessed

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation