Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

FS Change keeps adding and deleting files from monitoring

jdunlea_splunk
Splunk Employee
Splunk Employee
‎02-15-2012 01:31 PM

I am monitoring /etc/hosts.allow and /etc/hosts.deny for change, with a poll period of 300 seconds.

[fschange:/etc/hosts.allow]
index = fschange_main
pollPeriod = 300

[fschange:/etc/hosts.deny]
index = fschange_main
pollPeriod = 300

For some reason, every poll period (5 mins) I get 2 events for each file.... one with "action=add" and another with "action=delete"..... as I said, this keeps happening once per poll period.

Can someone tell me what is wrong? I do not have duplicate fschange stanzas for those files.

Thanks!

John

Reply

daniel333
Builder
‎05-10-2018 03:16 PM

Was there ever a fix to this? Seems like a weird problem to have other files are working great

0 Karma
Reply

bosburn_splunk
Splunk Employee
Splunk Employee
‎08-07-2013 03:32 PM

This is a known issue. It's unknown if / when it will be fixed since fschange is a deprecated feather.

0 Karma
Reply

flo_cognosec
Communicator
‎08-07-2013 08:43 AM

Yep, here too 😞

0 Karma
Reply

gavin1_davenpor
Path Finder
‎01-31-2013 08:52 AM

bump. Happening here too.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...