Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search for new files put in to folders

roberto_baggio
Explorer
‎04-27-2022 12:54 PM

Hi guys searched through all topics and couldn`t find anything relevant to my issue. So hope some one would help me with my question.

We use splunk cloud enterprise security. We have AWS environment mostly with Linux instances what I want to achieve is to search on splunk for any new files put in /tmp or /sbin and etc. 

Was googling, searching in documentation all I can find is this document https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Data/Monitorfilesanddirectories that says that I should use CLI. But this doesn't`t make seance we use splunk cloud there is no CLI right? And I think this article is about accessing and monitoring Splunk files right? 

So yee in short how to search for any new files added in to instances.

 

Cheers.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2022 05:20 PM

Before Splunk can tell you about a new file something has to tell Splunk about it.  That's what the Universal Forwarder (UF) does.  It monitors specified directories and uploads the contents of those directories to Splunk Cloud.  Note that Splunk knows about the file because it has indexed what's in the file - that's a lot more than just knowing the file exists.  It also means Splunk won't know about non-text files because it won't index those.

There is an input called fschange that monitors changes to the file system and seems to be the perfect fit here.  Be aware, however, that fschange has been deprecated for a few years now and could disappear at any time.

The instructions cited about using the CLI to add a monitor is correct, but it applies to forwarders, which always run on your on-prem hardware rather than in the cloud.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

roberto_baggio
Explorer
‎04-27-2022 11:18 PM

 

I thought because we use splunk cloud there is no forwarders but collectors.

For fschange:

Note: The file system change monitor has been deprecated in Splunk Enterprise since version 5.0.

So the fschange is not an option

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...