Splunk Search

Find Largest Files of Linux Using Splunk

hishamjan
Explorer

Hi everyone,

 

On my Linux machine, which has Splunk Forwarder and Splunk Add-on for Unix and Linux installed, I'm using this command to find the largest files on my server;

sudo du -a /var/log | sort -n -r | head -n 20

It enlists the first 20 largest files in the /var/log directory.

 

Now, I would like to do the same using Splunk.

Is there a way to edit the inputs.conf file to be able to index the data onto Splunk or is there any type or search I can make use of to achieve this.

 

Thanks in advance to anyone willing to help.

 

Reagards,

Hisham

Labels (4)
0 Karma

manjunathmeti
Champion

hi @hishamjan,

Enable the monitor for /var/log and set index in inputs.conf in the eadd-on.

[monitor:///var/log]
disabled = 0
index = indexname

Search below query to get top files by size.

| tstats count where index="indexname" earliest=1 by source | sort -count | head 20

 

If this reply helps you, an upvote/like would be appreciated. 

0 Karma

hishamjan
Explorer

Hi @manjunathmeti ,

 

Thanks for the reply,

I edited my inputs.conf file with;

[monitor://2>/dev/null]

index = monitor

disabled = false

(restarted splunk after that)

and my search with its result is attached below:

Screenshot 2021-02-26 at 12.51.41 PM.png

It isn't returning anything (All-Time, Last 24 hrs, Last 4 hours etc)...

 

Is there anything I'm doing wrong?

 

your help is appreciated.

Regards

0 Karma

manjunathmeti
Champion

Your monitor path is not correct. It should be [monitor:///var/log].

0 Karma
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...