Getting Data In

tuning of file monitoring

vinchakov_a
Path Finder

Good afternoon, I try monitoring of files. Version of Splunk is 6 . I faced unclear problems for me:
1) How to monitor new files and deleting files?
2) I created the filter but it doesn't work?
3) How to switch off actuating on change of time of the file?

[filter:blacklist:ignore_logs]
regex1 = *.log$
regex2 = *.LOG$

[fschange:C:\Windows\System32]
pollPeriod = 360
filter = ignore_logs
signedaudit = false
hashMaxSize = 10240
recurse = true
followLinks = true
fullEvent = true
sendEventMaxSize = -1
filesPerDelay = 100
delayInMills = 100

And it permanently repeats in logs:

Tue Mar 18 11:32:45 2014 action=update, path="C:\Windows\System32\config\SYSTEM.LOG1", isdir=0, size=262144, gid=-1, uid=-1, modtime="Tue Mar 18 11:28:59 2014", mode="rwxrwxrwx", hash=, chgs="modtime "
Tue Mar 18 11:32:45 2014 action=update, path="C:\Windows\System32\config\SYSTEM", isdir=0, size=13631488, gid=-1, uid=-1, modtime="Tue Mar 18 11:28:59 2014", mode="rwxrwxrwx", hash=, chgs="modtime "
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi vinchakov_a,

let me try to answer this:

1) How to monitor new files and deleting files?

this can be done by using the batch input like this

[batch://<path>]
* One time, destructive input of files in <path>.

2) I created the filter but it doesn't work?

Your regex *.log$ or *.LOG$ do not match the file "C:\Windows\System32\config\SYSTEM.LOG1" because you are searching for files containing a literal * and ending with either .log or .LOG. Try to use some thing like this to match also logs containing numbers

regex1 = .log(\d+)
regex2 = .LOG(\d+)

3) How to switch off actuating on change of time of the file?

I don't fully understand what you mean, so I will not provide an answer....

hope this helps ...

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

good one, but remember it will be a lower s

0 Karma

vinchakov_a
Path Finder

I found mistake:
filterS = ignore_logs

0 Karma

MuS
SplunkTrust
SplunkTrust

you can try .log or .LOG as well

0 Karma

vinchakov_a
Path Finder

Regex not work...

0 Karma

vinchakov_a
Path Finder

Thanks, I will try your regex. But I think batch it not that it is necessary for me. It is necessary for me that splunk reported when in the folder there is a new file or the old is deleted.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...