Monitoring Splunk

How to check whether a file received in some folders and read those files to compare data?

mnarmada
Path Finder

Hello All,

I have two applications in remote server or host. Every day I need to login to those applications at scheduled times and check different folders in the applications, to check whether files like stock and all received in that folder or not. If received that is fine and I will check another folder. If not received I will do it manually.
Now I want to make this automatic through splunk.
Whenever a new file added to one folder, I want to get message to my mobile and an email.

Please suggest me how can I do this as I am new to splunk.
If I want to monitor like this, do I need to install forwarder on server side?
If "Monitor" option is the only option, could you please tell me the way to do.

I also have a oracle database connection with these applications. Is database helps in any way?, as it has tables with these files information.
Is it possible to send alerts if I use data base extract?

Please help me and provide some documents to go through and make myself strong.

Best Regards,
Narmada M

Tags (2)
0 Karma
1 Solution

koshyk
Super Champion

It is quite simple and we do it very regularly across 100's of client systems

  1. Install UF (Universal forwarder) on the client/remote machine.
  2. Ensure deployment-server and the client machine works and everything is good.
  3. Create an app MY_remote_monitor_inputs and put an inputs.conf within it . Put Stanza of monitor the directory or File. Ensure also index=some_index and sourcetype is set for easy identification
  4. Collect this data into Splunk. If you don't want to index it, it is tricky, but there is a solution for that too. But I will keep it simple as though you index the file
  5. Then create a savedsearch to run (real-time or once every xx minutes) and send alert based on a condition. For example if the File reached and is more than 1000 lines, send you an email/alert etc.

View solution in original post

0 Karma

koshyk
Super Champion

It is quite simple and we do it very regularly across 100's of client systems

  1. Install UF (Universal forwarder) on the client/remote machine.
  2. Ensure deployment-server and the client machine works and everything is good.
  3. Create an app MY_remote_monitor_inputs and put an inputs.conf within it . Put Stanza of monitor the directory or File. Ensure also index=some_index and sourcetype is set for easy identification
  4. Collect this data into Splunk. If you don't want to index it, it is tricky, but there is a solution for that too. But I will keep it simple as though you index the file
  5. Then create a savedsearch to run (real-time or once every xx minutes) and send alert based on a condition. For example if the File reached and is more than 1000 lines, send you an email/alert etc.
0 Karma

mnarmada
Path Finder

Hi,

Thanks for the response.
I have few doubts on this. Please assist me if possible.

1) How to create an app in Universal Forwarder?

2) For few directories, I have to index files and compare data with another files, is comparison possible?. But Now what I want is, whenever I receive one or more files in some folder(Have lot of folders), need to get an alert.
Is there any specific condition to do so in our search?

3) Also, I want to check file size of every file received. Is that possible to get through forwarder?
If yes, please tell me how to do.

Most of the files will be in .txt format.

Thanks,
Narmada

0 Karma

koshyk
Super Champion

your comments are quite significant queries and may be good to post as individual questions. But for sake of 1st Query
To create an app in UF, you need a deployment-server. Please see this doc and may be good to learn and test it few times.
If you can please upvote/accept for your original query, would be great. cheers

0 Karma

mnarmada
Path Finder

Hello,

Could you please tell me the way to how to monitor a directory without indexing files in to Splunk.
I have searched in many sources but did not find the way.

Please help me by providing some documentation links or something else.
Your response would help in a best way.

Thanks,
Narmada

0 Karma

mnarmada
Path Finder

Thanks!!!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...