sorry for noob question, i am using splunk for 2 days...
i am pulling my hair out, cant get it to work....
i have setup an index fschange_test
added this to local/inputs.conf
index = fschange_test
recurse = true
followLinks = false
signedaudit = false
fullEvent = true
changed a few files, added some in /etc...
so i go to search type
and get 0 matching events...
the same goes if i add or change some files in splunks /etc dir whitch should work by default...
you will love splunk the more you use it 😉
does your user which runs splunkd have read access to /etc?
what can be found if you search
index=_internal source="*splunkd.log*" for /etc?
as you already have found answer.splunk.com; another great source is splunk docs
i managed to get it running and currently running a battle with blacklist excluding folders on recurse, so i think i will have to go harder way; not to include what i want, but exclude what i dont want....
thanks for your time to answer 😃