In this section, you can add fields/metadata to each event, using Eval-like functionality. Defaults to System Default Rule.Įvent Breaker buffer timeout: The amount of time (in milliseconds) that the event breaker will wait for new data to be sent to a specific channel, before flushing out the data stream, as-is, to the Routes. Processing Settings Event Breakers Įvent Breaker rulesets: A list of event breaking rulesets that will be applied to the input data stream before the data is sent through the Routes. Use a tab or hard return between (arbitrary) tag names. Tags: Optionally, add tags that you can use for filtering and grouping in Cribl Edge. The default filters are */log/* and *log. For example, you can use !*cribl*access.log to prevent the Source from discovering Cribl Edge's own log files. For 1, the Source will discover files one level down.īoth modes allow you to set the Polling interval, which otherwise defaults to 10 seconds.įilename allowlist: Wildcard syntax, and the exclamation mark ( !) for negation, are allowed. If you specify 0, the Source will discover only the top-level files within the Search path. This means that the Source will search subdirectories, and their subdirectories, and so on, without limit. By default, the Max depth field is empty.Manual: Tells the Source to discover the files within the Search path (i.e., a directory) that you specify, down to the Max depth.Auto: Tells the Source to automatically discover files that running processes have open for writing.
Input ID: Enter a unique name to identify this File Monitor Source definition.ĭiscovery Mode: Use the buttons to select one of these options: From the resulting page's tiles or the Sources left nav, select File Monitor. Or, in the Data Routes UI: From the top nav of a Cribl Edge instance or Group, select Data > Sources. From the resulting drawer's tiles, select File Monitor. In the QuickConnect UI: Click + New Source, or click + Add beside Sources.
#FILE MONITOR MANUAL#
In Manual mode, the Source discovers the files within a directory, and to a depth, that you specify.In Auto mode, the Source automatically discovers files that running processes have open for writing.How does the File Monitor Source discover files in the first place? You have the choice of two Discovery Modes: See the Examples section for other possibilities, along with a description of the Status tab, which displays state information for all files being monitored. The simplest case is one where the Source discovers a file for which it has no stored state, meaning that the file has just been created and needs to be monitored. This comparison determines whether the File Monitor Source will actually watch a given file for a given polling interval, or just ignore the file. Then, for each file on the list, the Source compares current state with previously-stored state.
The Source then applies an Allowed list to filter the initial list down into its final form. To produce its initial list of files to monitor, the File Monitor Source runs a discovery procedure at a configurable Polling interval. Type: System and Internal | TLS Support: N/A | Event Breaker Support: Yes Discovering and Filtering Files to Monitor