Re: Find Largest Files of Linux Using Splunk

hishamjan · ‎02-25-2021

Hi everyone,

On my Linux machine, which has Splunk Forwarder and Splunk Add-on for Unix and Linux installed, I'm using this command to find the largest files on my server;

sudo du -a /var/log | sort -n -r | head -n 20

It enlists the first 20 largest files in the /var/log directory.

Now, I would like to do the same using Splunk.

Is there a way to edit the inputs.conf file to be able to index the data onto Splunk or is there any type or search I can make use of to achieve this.

Thanks in advance to anyone willing to help.

Reagards,

Hisham

manjunathmeti · ‎02-25-2021

hi @hishamjan,

Enable the monitor for /var/log and set index in inputs.conf in the eadd-on.

[monitor:///var/log]
disabled = 0
index = indexname

Search below query to get top files by size.

| tstats count where index="indexname" earliest=1 by source | sort -count | head 20

If this reply helps you, an upvote/like would be appreciated.

hishamjan · ‎02-25-2021

Hi @manjunathmeti ,

Thanks for the reply,

I edited my inputs.conf file with;

[monitor://2>/dev/null]

index = monitor

disabled = false

(restarted splunk after that)

and my search with its result is attached below:

Screenshot 2021-02-26 at 12.51.41 PM.png

It isn't returning anything (All-Time, Last 24 hrs, Last 4 hours etc)...

Is there anything I'm doing wrong?

your help is appreciated.

Regards

manjunathmeti · ‎02-26-2021

Your monitor path is not correct. It should be [monitor:///var/log].

Find Largest Files of Linux Using Splunk

field extraction

lookup

regex

stats

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Are you a member of the Splunk Community?