- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- tuning of file monitoring
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tuning of file monitoring
Good afternoon, I try monitoring of files. Version of Splunk is 6 . I faced unclear problems for me:
1) How to monitor new files and deleting files?
2) I created the filter but it doesn't work?
3) How to switch off actuating on change of time of the file?
[filter:blacklist:ignore_logs]
regex1 = *.log$
regex2 = *.LOG$
[fschange:C:\Windows\System32]
pollPeriod = 360
filter = ignore_logs
signedaudit = false
hashMaxSize = 10240
recurse = true
followLinks = true
fullEvent = true
sendEventMaxSize = -1
filesPerDelay = 100
delayInMills = 100
And it permanently repeats in logs:
Tue Mar 18 11:32:45 2014 action=update, path="C:\Windows\System32\config\SYSTEM.LOG1", isdir=0, size=262144, gid=-1, uid=-1, modtime="Tue Mar 18 11:28:59 2014", mode="rwxrwxrwx", hash=, chgs="modtime "
Tue Mar 18 11:32:45 2014 action=update, path="C:\Windows\System32\config\SYSTEM", isdir=0, size=13631488, gid=-1, uid=-1, modtime="Tue Mar 18 11:28:59 2014", mode="rwxrwxrwx", hash=, chgs="modtime "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi vinchakov_a,
let me try to answer this:
1) How to monitor new files and deleting files?
this can be done by using the batch input like this
[batch://<path>]
* One time, destructive input of files in <path>.
2) I created the filter but it doesn't work?
Your regex *.log$ or *.LOG$ do not match the file "C:\Windows\System32\config\SYSTEM.LOG1" because you are searching for files containing a literal * and ending with either .log or .LOG. Try to use some thing like this to match also logs containing numbers
regex1 = .log(\d+)
regex2 = .LOG(\d+)
3) How to switch off actuating on change of time of the file?
I don't fully understand what you mean, so I will not provide an answer....
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
good one, but remember it will be a lower s
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found mistake:
filterS = ignore_logs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can try .log or .LOG as well
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regex not work...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I will try your regex. But I think batch it not that it is necessary for me. It is necessary for me that splunk reported when in the folder there is a new file or the old is deleted.
Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!
Logs to Metrics
Developer Spotlight with Paul Stout
