I have a client that wants to monitor a system configuration file and specifically the content of the configuration file. They would like to index the content of a file and ultimately the only index the content again when the configuration file content changes.
We've tied using "fschange" but it's only outputting the file characteristics (see below) not the file content
Tue Jun 4 10:07:32 2019 action=add, path="///opt/mapr/spark/spark-2.2.1/conf/spark-defaults.conf", isdir=0, size=1957, gid=1446, uid=930, modtime="Wed Jan 23 15:58:32 2019", mode="rw-r--r--", hash=***
the inputs.conf configuration setting for "fschange" that we've tried are:
index = _audit recurse = false followLinks = false signedaudit = false fullEvent = true sendEventMaxSize = 1048576 delayInMills = 1000***
Has someone successfully index a configuration file content and re-indexed the configuration content when the configuration content changes?
Well, that is what fschange (which btw is deprecated since Splunk 5.x) does:
[fschange:<path>] * Monitors changes (such as additions, updates, and deletions) to this directory and any of its sub-directories.
If you want to index config files and index when they change, you need to add a monitor stanza and add the option
crcSalt = <SOURCE> to the monitor. This will re-index the file once it changes.
Hope this helps ...
Hi @u568675 ,
Did you have a chance to check out an answer? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help you.
Thanks for posting!