Getting Data In

Why is Splunk unable to detect modified files when monitoring files on CIFS mount?

yannK
Splunk Employee
Splunk Employee

I have a CIFS mount from Azure on a server.
Then a Splunk forwarder monitoring the mounted folder.

I discovered that Splunk can detect the files when starting, but not later when a file is modified.

1 Solution

yannK
Splunk Employee
Splunk Employee

Explanation :

Folder modification time in MAFS (Microsoft Azure File System) is not updated ! Splunk is unable to properly monitor the folder as there's no change triggering ingestion of the new files. This is not a bug in Splunk, but limitation of the Azure File Storage ... even windows explorer and Azure web interface are showing creation time as the last modification date !

Full list of limitations can be found here:
https://docs.microsoft.com/en-us/rest/api/storageservices/fileservices/Features-Not-Supported-By-the...

The possible workarounds are :

  • manually update your file modification time, to force detection.
    The only workaround we were able to come up with (that actually works) was to update the destination folder last modification time manually
    (e.g. by using a script after uploading log files):
    PowerShell

    (Get-Item ).LastWriteTime = Get-Date

    • restart splunk on a regular basis
    • reload splunk inputs on a regular basis (not to often if you have too many files to scan each time) example : splunk _internal call /data/inputs/monitor/_reload -auth admin:changeme

Or not monitor Azure, and copy the files outside of the mount each time.

View solution in original post

yannK
Splunk Employee
Splunk Employee

Explanation :

Folder modification time in MAFS (Microsoft Azure File System) is not updated ! Splunk is unable to properly monitor the folder as there's no change triggering ingestion of the new files. This is not a bug in Splunk, but limitation of the Azure File Storage ... even windows explorer and Azure web interface are showing creation time as the last modification date !

Full list of limitations can be found here:
https://docs.microsoft.com/en-us/rest/api/storageservices/fileservices/Features-Not-Supported-By-the...

The possible workarounds are :

  • manually update your file modification time, to force detection.
    The only workaround we were able to come up with (that actually works) was to update the destination folder last modification time manually
    (e.g. by using a script after uploading log files):
    PowerShell

    (Get-Item ).LastWriteTime = Get-Date

    • restart splunk on a regular basis
    • reload splunk inputs on a regular basis (not to often if you have too many files to scan each time) example : splunk _internal call /data/inputs/monitor/_reload -auth admin:changeme

Or not monitor Azure, and copy the files outside of the mount each time.

yannK
Splunk Employee
Splunk Employee

An Ideas was opened on the subject, you can vote for it

https://ideas.splunk.com/ideas/EID-I-1341

 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...