if the event doesn't have the bytes associated to the file splunk can not provide that detail. for example if the event is, file: temp.txt, 45 bytes, created today, file closed. Then in this scenario that contains knowledge about file temp.txt of size 45 bytes and it's closed. Then Splunk can retrieve and Alert/report etc can be created. What we need to retrieve in this case bytes must exist in 'events' / _raw data. Hope this clarifies. ... View more

That's a pretty straightforward query in Splunk.  However, do you have the equivalent to "ps -ef" logged in Splunk?  If not, then the alert won't work. Another option is to create a scripted input that executes that CLI command and logs the result in Splunk.  Then you can alert on it. ... View more