sorry for noob question, i am using splunk for 2 days...
i am pulling my hair out, cant get it to work....
i have setup an index fschange_test
added this to local/inputs.conf
[fschange:/etc]
index = fschange_test
recurse = true
followLinks = false
signedaudit = false
fullEvent = true
splunk restarted
changed a few files, added some in /etc...
so i go to search type
index="fschange_test"
and get 0 matching events...
the same goes if i add or change some files in splunks /etc dir whitch should work by default...
Hi skopy
you will love splunk the more you use it 😉
does your user which runs splunkd have read access to /etc?
what can be found if you search index=_internal source="*splunkd.log*"
for /etc?
as you already have found answer.splunk.com; another great source is splunk docs
cheers>
i managed to get it running and currently running a battle with blacklist excluding folders on recurse, so i think i will have to go harder way; not to include what i want, but exclude what i dont want....
thanks for your time to answer 😃
hi skopy, you could accept the answer so it will be marked as answered.....and have fun with splunk 🙂
MuS>
Hi skopy
you will love splunk the more you use it 😉
does your user which runs splunkd have read access to /etc?
what can be found if you search index=_internal source="*splunkd.log*"
for /etc?
as you already have found answer.splunk.com; another great source is splunk docs
cheers>