Getting Data In

fschange filters for windows

heterodyned
Path Finder

I tried searching for documentation on how to implement filters for directories ( in fschange)

Could someone let me know where could I find documentation on this? the documentation page has an example to blacklist all the contents within a directory, how about a particular directory?

Here is my windows fschange implementation

[filter:blacklist:pamping]
regex1=\*\ignore\* ( tried c:\pamping\ignore\* didnt work)

[fschange:c:\pamping]
index = _audit
sourcetype = fschange
signedaudit = false
sendEventMaxSize = -1
recurse = true
disabled = false
pollPeriod = 60
filesPerDelay = 10
delayInMills = 100
followLinks = false
fullEvent = false
filters=pamping

The above filter which was set wasnt filtering events within the ignore directory, am i applying the filter incorrectly?

Tags (1)
1 Solution

Lowell
Super Champion

Looks like your regex is incorrect. Try using the filter:

[filter:blacklist:pamping]
regex1 = .*ignore.*

Or, for your origional path:

[filter:blacklist:pamping]
regex1 = c:\\pamping\\ignore\\.*

Keep in mind that when you are writting a regex, you have to use "\\" to match a single "\". And you have to use ".*" to mean match any character 0 or more times.

Your origional regex of "\*\ignore\*" is literally interpreted as match a literal "*" followed by an "i" (I don't think that "\i" means anything in regex speak, so this is my best guess) followed by gnore followed by a literal "*"; which isn't at all what you want. For a general regex introduction and other helpful resources, check out: http://www.regular-expressions.info/

View solution in original post

Lowell
Super Champion

Looks like your regex is incorrect. Try using the filter:

[filter:blacklist:pamping]
regex1 = .*ignore.*

Or, for your origional path:

[filter:blacklist:pamping]
regex1 = c:\\pamping\\ignore\\.*

Keep in mind that when you are writting a regex, you have to use "\\" to match a single "\". And you have to use ".*" to mean match any character 0 or more times.

Your origional regex of "\*\ignore\*" is literally interpreted as match a literal "*" followed by an "i" (I don't think that "\i" means anything in regex speak, so this is my best guess) followed by gnore followed by a literal "*"; which isn't at all what you want. For a general regex introduction and other helpful resources, check out: http://www.regular-expressions.info/

Lowell
Super Champion

Yeah. You can use either a literal forward slash like "/", or if you are writing rules that can be used on either location, then I use [/\\] which will match a single forwarder slash for unix, or a backslash for windows. As far as the delete parent stuff, I don't full get how that works myself. If you keep getting them after your initial filter change, then I would suggest posting another question about it.

0 Karma

heterodyned
Path Finder

Thank you so much, is this format specifically for windowS? or would it apply for Linux as well? For Linux I generally use the format
/Folder/Subfolder/* format, and it generally filters the data, but does a strange delete-parent, delete etc...

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...