Solved: Re: What is the correct syntax to have fschange se...

nick085 · ‎10-09-2012

Will the following work:

[fschange:C:\Program Files\progam|D:\File\group]

Should replace "|" with "OR",or should i use "&" or "AND". I am trying to monitor file changes to multiple directories using a single fschange statement. I would prefer to not use multiple fschange statements requiring changes to the same attributes for each fschange. If boolean logic cannot be used, is there a way to use a function to define the attributes for fschange?

bmacias84 · ‎10-09-2012

I am sorry, but I dont believe Splunks allows you to perform boolean logic. If you like to use a single fschange entry will most likely have to use File system monitoring filters.



[fschange:/etc] 

filters = nothis,dothis 

[filter:blacklist:nothis] 

regex1 = .*bak

regex2 = .*bk

[filter:whitelist:dothis] 

regex1 = .\.c 

regex2 = .\.h

Using FSchange

View solution in original post

bmacias84 · ‎10-09-2012

I am sorry, but I dont believe Splunks allows you to perform boolean logic. If you like to use a single fschange entry will most likely have to use File system monitoring filters.



[fschange:/etc] 

filters = nothis,dothis 

[filter:blacklist:nothis] 

regex1 = .*bak

regex2 = .*bk

[filter:whitelist:dothis] 

regex1 = .\.c 

regex2 = .\.h

Using FSchange

What is the correct syntax to have fschange search multiple directories?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation