Getting Data In

FSCHANGE recurse issue



I want to watch .so .bin files in the /etc/security and its subfolders.

I applied a whitelist filter and a blacklist filter:

regex1 = ($|.+.bin$)
regex1 = .*

Paramètres du File System Change Monitor pour le dossier /etc

recurse = true
filters = whitelistf,blacklistf

Result : i can see the .so and .bin on /etc/security and not in the subfolders.

I guess that fschange apply the filters on the subfolders name too.
I tried to write some regex to include some subfolders but i dont get the waited result.

example of tried regex :

regex1 = ^/etc/security/*/($|.+.bin)$

regex1 = ^/etc/security/.../($|.+.bin)$

regex1 = ^/etc/security/($|.+.bin)$

Any idea is welcome,

Thanks in advance,


Tags (3)

Re: FSCHANGE recurse issue

Super Champion

I believe you need to make the change in the source, not the regex:


0 Karma

Re: FSCHANGE recurse issue


Thanks for your reply lukejadamec, i tried on Splunk Enterprise 6 but it doesn't work: No file added.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.