Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are so many files being tracked because of this one monitor?

Ricapar
Communicator
‎11-21-2012 12:27 PM

Copying everything exactly how it appears...

I have this in my inputs.conf:

[monitor:///opt/firewalker/data/*/*/make_me_compliant.log]
disabled = 0
followTail = 0
host_segment = 5
index = firewalker
sourcetype = make_me_compliant
crcSalt = <SOURCE>

I took a look at $SPLUNK_HOME/var/log/splunk/splunkd.log, and I see this flying all over the place:

11-21-2012 15:21:06.422 -0500 INFO  WatchedFile - Will use tracking rule=modtime for file='/opt/firewalker/data/AIX/myhostname/pam.conf'.
11-21-2012 15:21:06.424 -0500 INFO  WatchedFile - Will use tracking rule=modtime for file='/opt/firewalker/data/AIX/myhostname/resolv.conf'.
11-21-2012 15:21:06.426 -0500 INFO  WatchedFile - Will use tracking rule=modtime for file='/opt/firewalker/data/AIX/myhostname/ssh.config'.
11-21-2012 15:21:06.427 -0500 INFO  WatchedFile - Will use tracking rule=modtime for file='/opt/firewalker/data/AIX/myhostname/sshd.config'.
11-21-2012 15:21:06.428 -0500 INFO  WatchedFile - Will use tracking rule=modtime for file='/opt/firewalker/data/AIX/myhostname/syslog.conf'.
11-21-2012 15:21:06.429 -0500 INFO  WatchedFile - Will use tracking rule=modtime for file='/opt/firewalker/data/AIX/myhostname/vintella.vas.conf'.
11-21-2012 15:21:06.429 -0500 INFO  WatchedFile - Will use tracking rule=modtime for file='/opt/firewalker/data/AIX/myhostname/vintella.vgp.conf'.

Is this normal operation? There are at least a thousand files for each hostname folder in that directory structure.
I only want to monitor one of them. It seems extremely wasteful that Splunk watches every file in there.

I verified that it was that stanza that is causing Splunk to do this. I disabled it (from the Web GUI), and the logs stopped getting those lines. Waited a while.. nothing. I enabled that input, and the entires came back pretty much right away.

That being said, I don't see data from any of those files showing up in any of my indexes, so Splunk doesn't seem to be doing much with it.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Drainy
Champion
‎11-21-2012 12:45 PM

Well, its not tailing them so I wouldn't worry but the fact you've used wildcards means that Splunk does have to scan through all files to locate the one you've specified, you may as well give the full location to it if you want to specify a single file.

View solution in original post

Reply
Solved! Jump to solution
Solution

Drainy
Champion
‎11-21-2012 12:45 PM

Well, its not tailing them so I wouldn't worry but the fact you've used wildcards means that Splunk does have to scan through all files to locate the one you've specified, you may as well give the full location to it if you want to specify a single file.

Reply
Solved! Jump to solution

lguinn2
Legend
‎12-03-2012 03:34 PM

You should use a whitelist to specify the specific file name you want to monitor. This will make Splunk more efficient. Otherwise, as Drainy says, you will be scanning through the directories unnecessarily.

0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎11-21-2012 12:55 PM

Since you haven't given it the full filename it will need to locate the files first. If it isn't tailing or saying that it has started to read at offset etc then it isn't reading the file.

0 Karma
Reply
Solved! Jump to solution

Ricapar
Communicator
‎11-21-2012 12:50 PM

Ah, sorry, maybe I was a little vague..

There's one file name I want to watch, and that file name happens once per directory. That's what the wildcards are matching there.

Does the use of wildcards there make it scan every file in every one of those directories though?

I have a few other wildcard monitors.. and none of them go scanning every single other file in the tree.

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...