Help Center

Monitoring files activity with Splunk


Splunk is a powerful tool that allows users to analyze logs from different types of sources. Resilio Connect is no exception. For the rest of article we assume that the Splunk server resides on the same host as your Resilio MC, though technically Splunk can forward logs to another host, if necessary.

Important note. Only Resilio Connect MC v2.2 and newer events.log is compatible with Splunk.

Open your Splunk admin console and choose "Add data":

Home___Splunk_6_5_3.jpg

 

As the events.log keeps growing and rotating periodically, we need to choose "Monitor" option:

Add_Data___Splunk_6_5_3.jpg

 

Pick the "Files & Directories" source and guide Splunk to the events.log. The precise file location depends on your OS and can be found in the server configuration file. Confirm that you need to continiously monitor the file:

 

Add_Data_-_Select_Source___Splunk_6_5_3_and_Slack_-_Sync_Team.jpg

 

Now we need to teach Splunk how to parse the event log lines. Pick the source time "Structured" -> "_json". Choose "Advanced" extraction, pick your timezone (this is important because the MC keeps all the data in UTC time). Put the "%s" into the timestamp format (which explains to Splunk that the time is stored in UNIXTIME format) and enter "event.ts" into the timestamp field, so that Splunk will know which JSON field contains the timestamp of the event.

Add_Data_-_Set_Sourcetype___Splunk_6_5_3.jpg

 

Leave the "Input settings" default values.

Add_Data_-_Input_Settings___Splunk_6_5_3.jpg

 

Once you are done, jump into "Search app".

Search___Splunk_6_5_3.jpg

 

Here are couple of useful searches in Splunk.

  • Find out which agents are done with some particular folder sync (you'll need to replace ShareID in query to yours one):
    event.event_type="folder_receive_finish" event.data.share="<share_id>" | table event.ts peer
  • Find out what was happening to particular file
    event.data.path="<your_filename>" | table event.ts peer event.event_type
  • Find the history of actions of particular agent:
    peer="<PeerID>" | table event.ts event.event_type event.data.path
  • Track your users activity:
    (event.event_type="file_added" OR event.event_type="file_modified") | timechart count(peer) span=1d
    Search___Splunk_6_5_3.jpg
  • Find errors that are happening in your setup:
    event.data.error!=0 | table _time peer event.data.error event.data.path
    Search___Splunk_6_5_3_and_Slack_-_Sync_Team.jpg
  • Track if any of your users has massively deleted files from a common share:
    event.event_type="file_deleted" earliest=-24h latest=now
    Configure the "Number of results" to value that is appropriate for your organization
    Search___Splunk_6_5_3.jpg
  • Track real-time activity of the some particular folder. In this case, you'll be able to see the latest event reported by each peer by selected folder. If you choose a real-time sliding window, Splunk will show you what happens in real-time:
    event.data.share="<your_share_id>" | stats latest(event.event_type) as latest_event, latest(_time) as event_time_e by peer | convert ctime(event_time_e) AS event_time | table peer latest_event event_time
  • Measuring your data delivery latency. Use next query to see your data delivery latency (i.e. the time from the moment when peer detects a new / changed file to the moment when any peer gets this updated data).
    event.data.share="<your_share_id>" | transaction event.data.hash startswith=eval('event.event_type'=="file_added" OR 'event.event_type'=="file_modified") endswith=eval('event.event_type'=="file_received") maxevents=-1 | table _time duration

 

 

 

Was the article helpful? Yes / No, send feedback on article Thanks!


Please note that we won't mail you back. This is just purely feedback on the article above. If you need help from our Support Team, please use the "Contact Support" link at the top of the page.