https://community.splunk.com/t5/Getting-Data-In/fschange-output/m-p/17190#M2153 <P>I am having a similar issue and would like to see a response. Anyone?</P> Thu, 11 Nov 2010 07:20:46 GMT balt 2010-11-11T07:20:46Z https://community.splunk.com/t5/Getting-Data-In/fschange-output/m-p/17187#M2150 <P>I have set up the following fschange for a test, in a test-box</P> <PRE><CODE>[filter:blacklist:sys-folder-blacklist] regex1=/sys/block/* regex2=/sys/devices/system/* regex3=/sys/module/* regex4=/sys/devices/platform/* [fschange:/sys] index = _audit sourcetype = fschange signedaudit = false sendEventMaxSize = -1 recurse = true disabled = false pollPeriod = 86400 filesPerDelay = 10 delayInMills = 100 followLinks = false fullEvent = false hashMaxSize = -1 filters=sys-folder-blacklist </CODE></PRE> <P>It still shows me some events with path related to the black list filter and the action is action=delete-parent</P> <P>Could someone explain me, if this takes place only for the initial indexing?</P> <P>-raghu</P> Sun, 11 Jul 2010 15:33:44 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-output/m-p/17187#M2150 heterodyned 2010-07-11T15:33:44Z https://community.splunk.com/t5/Getting-Data-In/fschange-output/m-p/17188#M2151 <P>Also I forgot to say that,</P> <P>I have two copies of the input.conf one in etc/system/local<BR /> and other in /etc/apps/search/local</P> <P>Is it because it cud be passing the search due to precedence?</P> Sun, 11 Jul 2010 15:35:56 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-output/m-p/17188#M2151 heterodyned 2010-07-11T15:35:56Z https://community.splunk.com/t5/Getting-Data-In/fschange-output/m-p/17189#M2152 <P>Update...the filters dont seem to work, they are still indexing data from those folders</P> Mon, 12 Jul 2010 21:20:51 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-output/m-p/17189#M2152 heterodyned 2010-07-12T21:20:51Z https://community.splunk.com/t5/Getting-Data-In/fschange-output/m-p/17190#M2153 <P>I am having a similar issue and would like to see a response. Anyone?</P> Thu, 11 Nov 2010 07:20:46 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-output/m-p/17190#M2153 balt 2010-11-11T07:20:46Z https://community.splunk.com/t5/Getting-Data-In/fschange-output/m-p/17191#M2154 <P>Balt,<BR /> I havent yet received a response on why those events come in, but after you implement the filters, it does show events of action=delete only once after the fil4ers are applied. I presume it is remove those indexing IDs from splunk which was previously created for the particular path</P> Thu, 11 Nov 2010 18:56:30 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-output/m-p/17191#M2154 heterodyned 2010-11-11T18:56:30Z https://community.splunk.com/t5/Getting-Data-In/fschange-output/m-p/17192#M2155 <P>I also have faced same issue before, and I have heard from support team that there is known issue when we use blacklist. So, you may need to ask support team to solve the issue.</P> Thu, 25 Nov 2010 08:26:31 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-output/m-p/17192#M2155 Takajian 2010-11-25T08:26:31Z https://community.splunk.com/t5/Getting-Data-In/fschange-output/m-p/17193#M2156 <P>Oh is it? could it be the regex in use that maybe causing these delete events? I shall get in touch with the support team to verify, I did observe that after the delete events, the implemented black-list filter works fine. Thanks Sasaki I shall get in touch with support team to resolve this issue <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 25 Nov 2010 15:28:16 GMT https://community.splunk.com/t5/Getting-Data-In/fschange-output/m-p/17193#M2156 heterodyned 2010-11-25T15:28:16Z