Solved: What is the correct syntax to have fschange search...

nick085 · ‎10-09-2012

Will the following work:

[fschange:C:\Program Files\progam|D:\File\group]

Should replace "|" with "OR",or should i use "&" or "AND". I am trying to monitor file changes to multiple directories using a single fschange statement. I would prefer to not use multiple fschange statements requiring changes to the same attributes for each fschange. If boolean logic cannot be used, is there a way to use a function to define the attributes for fschange?

bmacias84 · ‎10-09-2012

I am sorry, but I dont believe Splunks allows you to perform boolean logic. If you like to use a single fschange entry will most likely have to use File system monitoring filters.



[fschange:/etc] 

filters = nothis,dothis 

[filter:blacklist:nothis] 

regex1 = .*bak

regex2 = .*bk

[filter:whitelist:dothis] 

regex1 = .\.c 

regex2 = .\.h

Using FSchange

View solution in original post

bmacias84 · ‎10-09-2012

I am sorry, but I dont believe Splunks allows you to perform boolean logic. If you like to use a single fschange entry will most likely have to use File system monitoring filters.



[fschange:/etc] 

filters = nothis,dothis 

[filter:blacklist:nothis] 

regex1 = .*bak

regex2 = .*bk

[filter:whitelist:dothis] 

regex1 = .\.c 

regex2 = .\.h

Using FSchange

What is the correct syntax to have fschange search multiple directories?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

What is the correct syntax to have fschange search multiple directories?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem