Getting Data In

How to monitor the files under a path but not the details of each file?

niks987
Explorer

Hi All,

Hope you all are doing well.

Recently i was ingesting data to Splunk from a server and i had to get the file names under the inbox folder. I used below mentioned config file.

[monitor:///export/mail/inbox]
sourcetype = inbox
index = global-app-compiere
ignoreOlderThan = 60d
disabled = false

After the restarting splunk i was getting details of each files as events and file name as source.

So inside inbox folder we have files like this:-
/export/mail/inbox/1243156.PSV
/export/mail/inbox/3575838.PSV
/export/mail/inbox/1253489.CSE
/export/mail/inbox/processed/2473580.CSE
/export/mail/inbox/qw648385.CSE
/export/mail/inbox/processed/12354675.CSE

I wanted to just get the file names under the sourcetype inbox but i am getting the details of each file and the file is stored as source.

Can anyone please help me to get the details.

Thanks in advance 🙂

Tags (2)
0 Karma

dm1
Contributor

hi @niks987 how did you manage to store email attachments automatically on your local system?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

There are probably many ways to do that, most popular being using procmail and formail and/or metamail. But it's way out of scope of this forum. You should ask  experts on your MTA.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi niks987,
sorry, I don't understand your question, could yushare more details?
Are you saying that you have events with inbox sourcetype and you want to override sourcetype value with the source?
If this is your need, it isn't a good idea because in Splunk there are many things related to sourcetype (fields, tags, eventtypes, etc...).

Usually file names are stored in source field and the contents as events, but which details are you speaking?

Ciao.
Giuseppe

0 Karma

niks987
Explorer

Hi gcusello,

I have to monitor a log (/export/mail/inbox) under this i have to display the below mentioned in events as they will get updated every 10 mins and the file names will change accordingly.
/export/mail/inbox/1243156.PSV
/export/mail/inbox/3575838.PSV
/export/mail/inbox/1253489.CSE
/export/mail/inbox/processed/2473580.CSE
/export/mail/inbox/qw648385.CSE
/export/mail/inbox/processed/12354675.CSE

I have written a configuration to monitor the path. But the issue which is happening is that splunk is displaying the details of files as an event rather than displaying it the file name mentioned above.

I want that in source:-/export/mail/inbox :- sourcetype inbox
i should see only the name of the files not the details inside the file as a events in splunk.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi niks987,
your need is to display the list of sources?
If yes, you can have this with an easy search

index=your_index sourcetype=inbox 
| dedup source
| sort source
| table source

If the problem is that you don't want to ingest these logs, you have to change your input: instead of monitor, you have to create a simple script (e.g. containing the dir command) that lists the files in a path and ingest the script output as events.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...