Skip to main content
Version: 2.14.0

Where Did My Folder Go?

Overview

The Where Did My Folder Go? feature helps identify folders and files that were moved, renamed, or deleted due to user actions on NAS shares. These actions can cause data to appear missing and commonly result in support requests to locate affected content.

This feature provides audit visibility into file system activity, allowing support teams to quickly determine when a change occurred, who performed the action, and where the data was moved or deleted.

Earlier versions of this feature focused on directory movement tracking. Directory delete events are also tracked, and file rename and delete events are supported, along with additional controls to narrow the search time range.

Role-based access control includes a read-only role that can be assigned to help desk users, enabling them to investigate file and folder activity without requiring administrative privileges.

Limitations

Search result limit

Searches return up to 5,000 results by default.
This limit is intentional and helps improve search performance when working with large datasets.

If the user interface displays Results 5000 (Limit 5000), increase the result limit and run the search again.

To increase the limit:

  1. Connect to the Eyeglass virtual machine as the admin user.
  2. Run the following command:
igls easyauditor folderquerylimit set --limit=10000

Copy to clipboard limit

The Copy to Clipboard feature is validated for up to 5,000 entries. When more than 5,000 results are returned, not all rows may be copied.

To ensure complete results are copied:

  • Narrow the search time range, or
  • Specify a path closer to the expected folder or file location.

Use Cases

This feature is commonly used in the following scenarios:

  • A user drags and drops a folder on a share
  • A directory is renamed
  • A directory is deleted
  • A file is renamed
  • A file is deleted
info

This feature does not capture drag-and-drop operations between SMB shares, as these actions are treated as copy events rather than move operations.

Cut-and-paste operations on SMB shares (including between shares) are also not captured, as they generate create and delete events.
To identify these actions, use queries and reports to search for file create and delete activity.

How to Use

Prerequisites

  • Access to the Eyeglass UI with appropriate permissions
  • Target folder or file path information (starting with \ifs\ or a path close to the suspected location)
  • Approximate date and time when the folder or file activity occurred

Step-by-Step Instructions

Select the folder path (mandatory)

  1. Use the directory selector to choose the cluster and path.
  2. The path must begin with \ifs\. Selecting a path closer to the suspected location helps reduce the number of results and improves search performance.

Select event type (mandatory)

  1. Select Folders to search for directory rename and delete events.
  2. Select Files to search for file rename and delete events.
info

Searching for folders or files returns both rename and delete events.
The Show Deleted Objects option filters the displayed results but does not execute a new search. If the expected file or folder is not displayed, expand the time range or select a path closer to where the activity occurred.

Select a date range (mandatory)

  1. Searches must be performed using day-by-day or hour-by-hour ranges to ensure fast results.
  2. You can select predefined ranges using the dropdown: 1, 2, 4, 6, or 24 hours.
  3. Use the time control to adjust the search start time if needed.
  4. When selecting a previous day, the search automatically starts from the current system time.

Filter deleted objects (optional)

  1. Enable Show Deleted Objects to display directory and file delete events in addition to rename events.
  2. By default, only rename events are displayed.

Review search results

The results table includes the following information:

  • Changed Time – The timestamp when the file or directory was moved, renamed, or deleted
  • Was Here – The original path before the operation
  • Now Here – Displays the new path for moved or renamed items, or Deleted Folder / Deleted File for delete events
  • User – The user ID that performed the action
info

A results counter shows how many entries were returned and the current result limit (default: 5,000).
To increase the number of results returned per search, use the Eyeglass CLI command described earlier in this document.

Use search results to locate data

  • Identify the path and user associated with the folder or file activity.
  • Use this information to restore the data to its previous location or contact the user who performed the action.

Export results (optional)

  • Click Copy to Clipboard to copy the results.
  • Paste the data into Excel or another tool for sorting and further analysis.