fschange, file system change detection not working... - Splunk Community

Getting Data In

I have changed input.conf and restarted Spulnk, but I can't see any event generated for changing /etc/hosts file.

The the procedure was

Added inputs.conf for fschange conf.
Restarted Splunk.
Changed /etc/hosts file to see splunk generated event
logined to Splunk for fschange log.

And the I coould find the fs change log. Am I missing any procedure?

=====================================

[root@splunk local]# pwd
/opt/splunk/etc/system/local
[root@splunk local]# cat inputs.conf
[default]
host = splunk

[fschange:/etc]
index=os
recurse=true
followLinks=true
pollPeriod=60
fullEvent=true

=====================Splunk Restarted

Are you searching for something like this?

index=os source="fschangemonitor" path=*hosts*

If that search doesn't return results, what Splunk & OS version are you using?

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers, We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...