Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search for new files put in to folders

roberto_baggio
Explorer
‎04-27-2022 12:54 PM

Hi guys searched through all topics and couldn`t find anything relevant to my issue. So hope some one would help me with my question.

We use splunk cloud enterprise security. We have AWS environment mostly with Linux instances what I want to achieve is to search on splunk for any new files put in /tmp or /sbin and etc. 

Was googling, searching in documentation all I can find is this document https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Data/Monitorfilesanddirectories that says that I should use CLI. But this doesn't`t make seance we use splunk cloud there is no CLI right? And I think this article is about accessing and monitoring Splunk files right? 

So yee in short how to search for any new files added in to instances.

 

Cheers.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2022 05:20 PM

Before Splunk can tell you about a new file something has to tell Splunk about it.  That's what the Universal Forwarder (UF) does.  It monitors specified directories and uploads the contents of those directories to Splunk Cloud.  Note that Splunk knows about the file because it has indexed what's in the file - that's a lot more than just knowing the file exists.  It also means Splunk won't know about non-text files because it won't index those.

There is an input called fschange that monitors changes to the file system and seems to be the perfect fit here.  Be aware, however, that fschange has been deprecated for a few years now and could disappear at any time.

The instructions cited about using the CLI to add a monitor is correct, but it applies to forwarders, which always run on your on-prem hardware rather than in the cloud.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

roberto_baggio
Explorer
‎04-27-2022 11:18 PM

 

I thought because we use splunk cloud there is no forwarders but collectors.

For fschange:

Note: The file system change monitor has been deprecated in Splunk Enterprise since version 5.0.

So the fschange is not an option

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...