https://community.splunk.com/t5/Getting-Data-In/fschange-with-universal-Forwarder/m-p/78353#M16031 <P>Hey, thanks for your answer, but that's a typo on my behalf, any query I use to search does not bring any results (I'll edit the question with the right search parameters though thanks for pointing it out)</P> Wed, 03 Oct 2012 13:51:49 GMT SplunkUser5888 2012-10-03T13:51:49Z https://community.splunk.com/t5/Getting-Data-In/fschange-with-universal-Forwarder/m-p/78348#M16026 <P>Hey guys, I've seen a couple of similar questions to mine but nothing has helped. I have a very simple edit in the inputs.conf of my Universal Forwarder on a Windows Server.<BR /> It has in it;</P> <PRE><CODE>[default] host = server2003-splu [fschange:C:\Program Files\] index = _audit signedaudit = false #pollPeriod = 1 #hashMaxSize = 10485760 #fullEvent = true [script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path] disabled = 0 </CODE></PRE> <P>Any reason why when i do a search</P> <PRE><CODE>index=_audit sourcetype=fs_notification host=server2003-splu </CODE></PRE> <P>it doesn't come back with anything even after adding, changing and deleting files and folders in the Program Files directory?</P> <P>Thanks for any help you can give me</P> Wed, 03 Oct 2012 12:26:02 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-with-universal-Forwarder/m-p/78348#M16026 SplunkUser5888 2012-10-03T12:26:02Z https://community.splunk.com/t5/Getting-Data-In/fschange-with-universal-Forwarder/m-p/78349#M16027 <P>No one knows how I can change my file to make it work? I don't mind rewriting it if someone thinks it needs to be changed completely</P> Wed, 03 Oct 2012 13:35:59 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-with-universal-Forwarder/m-p/78349#M16027 SplunkUser5888 2012-10-03T13:35:59Z https://community.splunk.com/t5/Getting-Data-In/fschange-with-universal-Forwarder/m-p/78350#M16028 <P>The sourcetype should be <CODE>fs_notification</CODE>, not <CODE>fs_notifications</CODE>. Also you have a typo in the stanza below (diasbled instead of disabled), though that shouldn't affect the fschange stanza.</P> Wed, 03 Oct 2012 13:43:39 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-with-universal-Forwarder/m-p/78350#M16028 Ayn 2012-10-03T13:43:39Z https://community.splunk.com/t5/Getting-Data-In/fschange-with-universal-Forwarder/m-p/78351#M16029 <P>Your question was posted only an hour ago. You can't expect people doing this on their spare time to always see and respond to the question immediately...</P> Wed, 03 Oct 2012 13:44:43 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-with-universal-Forwarder/m-p/78351#M16029 Ayn 2012-10-03T13:44:43Z https://community.splunk.com/t5/Getting-Data-In/fschange-with-universal-Forwarder/m-p/78352#M16030 <P>sorry, I didn't mean to sound pushy</P> Wed, 03 Oct 2012 13:50:34 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-with-universal-Forwarder/m-p/78352#M16030 SplunkUser5888 2012-10-03T13:50:34Z https://community.splunk.com/t5/Getting-Data-In/fschange-with-universal-Forwarder/m-p/78353#M16031 <P>Hey, thanks for your answer, but that's a typo on my behalf, any query I use to search does not bring any results (I'll edit the question with the right search parameters though thanks for pointing it out)</P> Wed, 03 Oct 2012 13:51:49 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-with-universal-Forwarder/m-p/78353#M16031 SplunkUser5888 2012-10-03T13:51:49Z https://community.splunk.com/t5/Getting-Data-In/fschange-with-universal-Forwarder/m-p/78354#M16032 <P>It works now. Same config, same search nothing changed. It was a stupid mistake after all, the Universal Forwarder was not being restarted properly.</P> <P>Answer:</P> <P>Make sure you restart the server properly</P> <PRE><CODE>C:\Program Files\SplunkUniversalForwarder\bin&gt;splunk.exe restart </CODE></PRE> Thu, 04 Oct 2012 12:29:50 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-with-universal-Forwarder/m-p/78354#M16032 SplunkUser5888 2012-10-04T12:29:50Z