Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

FS Change keeps adding and deleting files from monitoring

jdunlea_splunk
Splunk Employee
Splunk Employee
‎02-15-2012 01:31 PM

I am monitoring /etc/hosts.allow and /etc/hosts.deny for change, with a poll period of 300 seconds.

[fschange:/etc/hosts.allow]
index = fschange_main
pollPeriod = 300

[fschange:/etc/hosts.deny]
index = fschange_main
pollPeriod = 300

For some reason, every poll period (5 mins) I get 2 events for each file.... one with "action=add" and another with "action=delete"..... as I said, this keeps happening once per poll period.

Can someone tell me what is wrong? I do not have duplicate fschange stanzas for those files.

Thanks!

John

Reply

daniel333
Builder
‎05-10-2018 03:16 PM

Was there ever a fix to this? Seems like a weird problem to have other files are working great

0 Karma
Reply

bosburn_splunk
Splunk Employee
Splunk Employee
‎08-07-2013 03:32 PM

This is a known issue. It's unknown if / when it will be fixed since fschange is a deprecated feather.

0 Karma
Reply

flo_cognosec
Communicator
‎08-07-2013 08:43 AM

Yep, here too 😞

0 Karma
Reply

gavin1_davenpor
Path Finder
‎01-31-2013 08:52 AM

bump. Happening here too.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...