topic What is the correct syntax to have fschange search multiple directories? in Getting Data In

What is the correct syntax to have fschange search multiple directories?

nick085 — Tue, 09 Oct 2012 15:09:11 GMT

Will the following work:

[fschange:C:\Program Files\progam|D:\File\group]

Should replace "|" with "OR",or should i use "&" or "AND". I am trying to monitor file changes to multiple directories using a single fschange statement. I would prefer to not use multiple fschange statements requiring changes to the same attributes for each fschange. If boolean logic cannot be used, is there a way to use a function to define the attributes for fschange?

Re: What is the correct syntax to have fschange search multiple directories?

bmacias84 — Tue, 09 Oct 2012 16:27:06 GMT

I am sorry, but I dont believe Splunks allows you to perform boolean logic. If you like to use a single fschange entry will most likely have to use File system monitoring filters.



[fschange:/etc] 

filters = nothis,dothis 

[filter:blacklist:nothis] 

regex1 = .*bak

regex2 = .*bk

[filter:whitelist:dothis] 

regex1 = .\.c 

regex2 = .\.h

Using FSchange