This script is from the DTrace book, and traces the creation and deletion of files

macflife.d

#!/usr/sbin/dtrace -s
/*
 * maclife.d
 *
 * Example script from Chapter 5 of the book: DTrace: Dynamic Tracing in
 * Oracle Solaris, Mac OS X, and FreeBSD", by Brendan Gregg and Jim Mauro,
 * Prentice Hall, 2011. ISBN-10: 0132091518. http://dtracebook.com.
 * 
 * See the book for the script description and warnings. Many of these are
 * provided as example solutions, and will need changes to work on your OS.
 */

#pragma D option quiet
#pragma D option switchrate=10hz

dtrace:::BEGIN
{
	printf("%-12s %6s %6s %-12.12s %-12s %s\n", "TIME(ms)", "UID",
	    "PID", "PROCESS", "CALL", "DIR/FILE");
}

/* see sys/bsd/sys/vnode_if.h */

fbt::VNOP_CREATE:entry,
fbt::VNOP_REMOVE:entry
{
	this->path = ((struct vnode *)arg0)->v_name;
	this->name = ((struct componentname *)arg2)->cn_nameptr;
	printf("%-12d %6d %6d %-12.12s %-12s %s/%s\n",
	    timestamp / 1000000, uid, pid, execname, probefunc,
	    this->path != NULL ? stringof(this->path) : "<null>",
	    stringof(this->name));
}

http://dtrace.org/blogs/brendan/2011/10/10/top-10-dtrace-scripts-for-mac-os-x/:

This script is from the DTrace book, and traces the creation and deletion of files:

Brendan-2:~ brendan$ sudo ./dtbook/Chap5/maclife.d
TIME(ms) UID PID PROCESS CALL DIR/FILE
3754594958 503 54079 Google Chrom VNOP_CREATE Chrome/.com.google.Chrome.K7I9jy
3754597703 503 54079 Google Chrom VNOP_CREATE -Tmp-/.com.google.Chrome.8MIKKL
3754597703 503 54079 Google Chrom VNOP_REMOVE -Tmp-/.com.google.Chrome.8MIKKL
3754597703 503 54079 Google Chrom VNOP_CREATE -Tmp-/.com.google.Chrome.TLlOje
3754597703 503 54079 Google Chrom VNOP_REMOVE -Tmp-/.com.google.Chrome.TLlOje
3754598365 503 54079 Google Chrom VNOP_CREATE -Tmp-/.com.google.Chrome.yIwTdE
3754598365 503 54079 Google Chrom VNOP_REMOVE -Tmp-/.com.google.Chrome.yIwTdE
3754603801 503 65002 TweetDeck VNOP_CREATE Cookies/Cookies.plist_tmp_65002_0.dat
3754605028 503 65002 TweetDeck VNOP_REMOVE Local Store/td_26_brendangregg.db-journal
3754605026 503 65002 TweetDeck VNOP_CREATE Local Store/td_26_brendangregg.db-journal
3754607674 503 65002 TweetDeck VNOP_CREATE Local Store/td_26_brendangregg.db-journal
3754607676 503 65002 TweetDeck VNOP_REMOVE Local Store/td_26_brendangregg.db-journal
3754609536 503 34852 Adium VNOP_CREATE Default/.dat8824.9fa
3754711583 503 17726 thnuclnt VNOP_CREATE thnuclnt-17717/thnuclnt.conf-fta17726
3754711587 503 17726 thnuclnt VNOP_REMOVE -Tmp-/4e8220118e918
3754711617 503 17726 thnuclnt VNOP_REMOVE -Tmp-/4e8220118ead8
3754711620 503 17726 thnuclnt VNOP_REMOVE -Tmp-/4e8220119621c
3754711623 503 17726 thnuclnt VNOP_REMOVE -Tmp-/4e82201196d7e
3754711624 503 17726 thnuclnt VNOP_REMOVE thnuclnt-17717/thnuclnt.conf-fta17726
3754612740 503 31502 vim VNOP_CREATE macosx/4913
3754612740 503 31502 vim VNOP_REMOVE macosx/4913
3754612741 503 31502 vim VNOP_CREATE macosx/top10dtrace.html
3754612741 503 31502 vim VNOP_REMOVE macosx/top10dtrace.html~
[...]

Interesting! While tracing I saved the file I was editing in vim, which is seen in the last four lines. This tells me that vim is creating and removing temporary files as part of the save process.

Also note that it looks like TweetDeck created the file twice before removing it (two VNOP_CREATEs followed by a VNOP_REMOVE). This isn’t the correct order, which can be seen by examining the TIME(ms) column. A side-effect of DTrace’s negligible performance impact design is that output can be slightly shuffled due to the way it collects data from per-CPU buffers. I often include a TIME column like that one, not just for the usefulness of knowing time, but also as a means to post sort the output.