Getting Data In

Monitor a directory and run a script on a new file

New Member


I'm a beginner Splunk user and I'm trying to use Splunk to monitor a nfs directory for new files and running a (python) script when a new file is added to the monitoring directory.
I am using the following fs stanza which seem to work but not sure how to run the script when a new file is created in that directory:


poll every 10 minutes

pollPeriod = 600

generate audit events into the audit index instead of fschange events

signedaudit = true
recurse = true
followLinks = false
hashMaxSize = -1
fullEvent = false
sendEventMaxSize = -1
filesPerDelay = 10
delayInMills = 100


Tags (3)
0 Karma

New Member

Thanks for the comment!
Indeed, inotify was my first option but the problems is that I don't have access to the NFS server and, as you mentioned, inotify will not trigger an event on a remote machine as this is a kernel feature.
Since we are already using Splunk, I thought this could help us with this issue. I've read that fschange monitors have been deprecated and now is recommended to use an auditd module in order to watch for these events but we're trying to come up with the simplest solution for this problem.
Did you have any success with an NFS file monitoring solution using inotify or something similar?

0 Karma


Splunk may not be the correct tool for your use case.

First of all fschange monitors have been deprecated since Splunk 5 and could be removed at any time.

Second: Splunk is more about recording events, extracting information and correlating them. If you had something producing events into Splunk (like the fschange monitor) and you had a scheduled search on your search head, you could kick off custom alert action to execute your script from the search head, but that may not be what you're looking to do.

I am not as familiar as I should be with all the ins and outs of Phantom yet, however based on signals, they too can invoke playbook actions to automate tasks, but I'm not exactly sure of the mechanics there.

I suspect however, if you have access to the NFS server, you may be looking for an inotify based tool as have been suggested on this stack overflow question:

But also if you don't have that sort of access to the NFS server you may run into issues, and are likely looking for a different solution:

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>