Getting Data In

Using fschange monitor on Windows UF

branfarm
Explorer

Hi there,

First off, I'm new to splunk so I apologize if I'm asking basic questions.

I'm trying to use the deployment server to deploy an app that will watch a specific file on a set of Windows boxes. My problem is that although the changes are being correctly recorded, the actual file is being broken up into multiple events, instead of one event for the whole file.

Here's the basic setup. I have a number of boxes that contain 4 Folders with a config file inside.

The folders are:

C:\Folder\config.ini    
C:\FolderB\config.ini    
C:\FolderC\config.ini    
C:\FolderD\config.ini

I'm using fschange in the inputs.conf (for testing purposes I've only configured the first folder):

[fschange:C:\Folder]
sourcetype = folder_monitor
index = configmanager
filters = AllowFolderini,BlockAll
pollPeriod = 5
fullEvent = true
sendEventMaxSize = -1
recurse = false
signedaudit = false
disabled = false

[filter:whitelist:AllowFolderini]
regex1= \.ini$

[filter:blacklist:BlockAll]
regex1= .?

And my props.conf contains:

[source::C:\Folder\*.ini]
sourcetype = Folder_ini


[Folder_ini]
LINE_BREAKER = ^()$
SHOULD_LINEMERGE = true
LEARN_MODEL = false

Part of my setup is working, because I'm successfully getting change notifications, and those are classified correctly as sourcetype 'folder_monitor'. The part I can't get to work is that my .ini files are showing up as individual lines, instead of one event per file.

My first question is where are the actual props actions taking place? Is it on the UF, or does my main splunk indexer require the same props.conf elements? If the main index requires the same elements, should they be located under the $SPLUNK_HOME$/etc/apps/ directory for my application, or under $SPLUNK_HOME$/etc/system/local ?

Second, I've found a lot of splunk-base questions on similar issues. Seems like there have been some bugs around the fschange type, so does anyone know if these have been resolved in the latest build? I'm running 4.3.3 , build 128297.

Thanks for your help,

Brandon

Tags (1)
0 Karma

branfarm
Explorer

Alright... well a little digging goes a long ways. Turns out that the props.conf I was pushing to the UF had an incorrect windows path format:

[source::C:\Folder\*.ini]

should've been

[source::C:\\Folder\\*.ini]
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...