Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitoring File Directories but not indexing file contents

Highlander22
Engager
‎11-02-2020 01:45 PM

Hi all,

Sorry for the really newb question (because I am one).

I have Splunk Enterprise running on my standalone PC to evaluate it. I have managed to get Splunk to monitor my PC's volumes, directories & files OK...but the **bleep** thing insists on trying to index the contents of every file too. Obviously, this is very resource-intensive and I really don't want the file contents indexed.

How do I stop it indexing the file contents? Or, even better, tell it not to index any file contents except for specific file extensions?

Thanks for any help.

Labels (1)
Labels
0 Karma
Reply

Highlander22
Engager
‎11-03-2020 08:56 AM

Thanks @gcusello & @richgalloway 😊👍 for taking the time to respond.

I think I have the solution: I already had the "File Meta-data" app but was using the "Files & Directories" "Data Input" (which does index the contents of the file/all files in the directory) rather than the "File Meta-data" "Data Input" (which "Import[s] file and directory meta-data (size, modification dates, etc.)". This also adds a new "File Meta-data" entry in the "Add Data" "Monitor" sources too.

I have it timed to run every 24 hours so will have to wait 24 hours for it to have triggered at some time in the interim. The documentation on that "File Meta-data" app is rather spartan to say the least but I think I am on the right path. Just need a bit of trial and error now, I think.

I have upvoted both of you though 😊.

 

@gcusello- In my old programming days, yes, I would have created such a script but I expected that such integrated tools like Splunk should be able to integrate directly with the FS by now to at least do that for me 😊.

@richgalloway- If I can't get my expected solution to work (it bloody well should work), I will have a look at yours next. There's always different ways of skinning the same cat...though, yes, this is quite a primitive cat to have Splunk get its teeth into.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-03-2020 07:12 AM

Hi @Highlander22,

you could create a scripted input that runs (e.g. every hour) a script containing the "dir" command (in Windows) or the "ls" command (in Linux).

in this way you have the list of the files of a folder, without indexing file contents, and you can compare the lists in different time periods.

ciao.

Giuseppe

Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-03-2020 07:03 AM

Indexing files is Splunk's reason for being.  

Have a look at the fschange monitor in inputs.conf.  It's a deprecated feature so it may so away in a future release, but it may be want you seek.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...