Re: [PLUG] How to Find Most Used Files

[sean finney <seanius@seanius.net>]

On Sun, Nov 20, 2011 at 03:20:14PM -0500, Rich Freeman wrote:
> I could envision a program aggregating from lsof or something like
> that, or using a file-alteration-monitor or direct accounting calls to
> the kernel.  That wouldn't require quite as many updates since you
> could flush the log once an hour or whatever.  I have no idea if such
> a thing already exists though.

Assuming you're on a linux system (i.e. not BSD/Slowlaris/AIX), you can
use either inotify or stap for this purpose.  For example, if you have
systemtap fully installed (including kernel debug symbols), the following
will print a line for every open syscall for the next 4 seconds, along
with the process responsible and pid.

#! /usr/bin/stap

probe syscall.open
{
	printf ("%s(%d) open (%s)\n", execname(), pid(), argstr)
}

probe timer.ms(4000)
{
	exit ()
}

inotify isn't too much more complicated, and there are python bindings
out there.  and inotify has the advantage of not requiring those debug
symbols, but I didn't have an example laying around for that one :)

Two important things to keep in mind though:

 * tracing like this has a noticable overhead on systems with lots of I/O
 * if you write your results somewhere, make sure it doesn't get caught
   by the syscall tracing, otherwise your results will be... imbalanced :)

But I'm not sure what any of this will actually get you that you couldn't
get from filesystem-level tools like iostat and a couple manual lsof's.



	sean
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug