Getting Data In

tuning of file monitoring

vinchakov_a
Path Finder

Good afternoon, I try monitoring of files. Version of Splunk is 6 . I faced unclear problems for me:
1) How to monitor new files and deleting files?
2) I created the filter but it doesn't work?
3) How to switch off actuating on change of time of the file?

[filter:blacklist:ignore_logs]
regex1 = *.log$
regex2 = *.LOG$

[fschange:C:\Windows\System32]
pollPeriod = 360
filter = ignore_logs
signedaudit = false
hashMaxSize = 10240
recurse = true
followLinks = true
fullEvent = true
sendEventMaxSize = -1
filesPerDelay = 100
delayInMills = 100

And it permanently repeats in logs:

Tue Mar 18 11:32:45 2014 action=update, path="C:\Windows\System32\config\SYSTEM.LOG1", isdir=0, size=262144, gid=-1, uid=-1, modtime="Tue Mar 18 11:28:59 2014", mode="rwxrwxrwx", hash=, chgs="modtime "
Tue Mar 18 11:32:45 2014 action=update, path="C:\Windows\System32\config\SYSTEM", isdir=0, size=13631488, gid=-1, uid=-1, modtime="Tue Mar 18 11:28:59 2014", mode="rwxrwxrwx", hash=, chgs="modtime "
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi vinchakov_a,

let me try to answer this:

1) How to monitor new files and deleting files?

this can be done by using the batch input like this

[batch://<path>]
* One time, destructive input of files in <path>.

2) I created the filter but it doesn't work?

Your regex *.log$ or *.LOG$ do not match the file "C:\Windows\System32\config\SYSTEM.LOG1" because you are searching for files containing a literal * and ending with either .log or .LOG. Try to use some thing like this to match also logs containing numbers

regex1 = .log(\d+)
regex2 = .LOG(\d+)

3) How to switch off actuating on change of time of the file?

I don't fully understand what you mean, so I will not provide an answer....

hope this helps ...

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

good one, but remember it will be a lower s

0 Karma

vinchakov_a
Path Finder

I found mistake:
filterS = ignore_logs

0 Karma

MuS
SplunkTrust
SplunkTrust

you can try .log or .LOG as well

0 Karma

vinchakov_a
Path Finder

Regex not work...

0 Karma

vinchakov_a
Path Finder

Thanks, I will try your regex. But I think batch it not that it is necessary for me. It is necessary for me that splunk reported when in the folder there is a new file or the old is deleted.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...