Getting Data In
Highlighted

Monitor a directory and run a script on a new file

New Member

Hi,

I'm a beginner Splunk user and I'm trying to use Splunk to monitor a nfs directory for new files and running a (python) script when a new file is added to the monitoring directory.
I am using the following fs stanza which seem to work but not sure how to run the script when a new file is created in that directory:

[fschange:$SPLUNK_HOME/etc]

poll every 10 minutes

pollPeriod = 600

generate audit events into the audit index instead of fschange events

signedaudit = true
recurse = true
followLinks = false
hashMaxSize = -1
fullEvent = false
sendEventMaxSize = -1
filesPerDelay = 10
delayInMills = 100

Thanks!

Tags (3)
0 Karma
Highlighted

Re: Monitor a directory and run a script on a new file

Influencer

Splunk may not be the correct tool for your use case.

First of all fschange monitors have been deprecated since Splunk 5 and could be removed at any time.

Second: Splunk is more about recording events, extracting information and correlating them. If you had something producing events into Splunk (like the fschange monitor) and you had a scheduled search on your search head, you could kick off custom alert action to execute your script from the search head, but that may not be what you're looking to do.

I am not as familiar as I should be with all the ins and outs of Phantom yet, however based on signals, they too can invoke playbook actions to automate tasks, but I'm not exactly sure of the mechanics there.

I suspect however, if you have access to the NFS server, you may be looking for an inotify based tool as have been suggested on this stack overflow question: https://stackoverflow.com/q/14692353/504685

But also if you don't have that sort of access to the NFS server you may run into issues, and are likely looking for a different solution: https://stackoverflow.com/a/4231277/504685

0 Karma
Highlighted

Re: Monitor a directory and run a script on a new file

New Member

Hi,
Thanks for the comment!
Indeed, inotify was my first option but the problems is that I don't have access to the NFS server and, as you mentioned, inotify will not trigger an event on a remote machine as this is a kernel feature.
Since we are already using Splunk, I thought this could help us with this issue. I've read that fschange monitors have been deprecated and now is recommended to use an auditd module in order to watch for these events but we're trying to come up with the simplest solution for this problem.
Did you have any success with an NFS file monitoring solution using inotify or something similar?

0 Karma