Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

fschange not picking up changes for all subfolders

snowmizer
Communicator
‎07-12-2010 07:38 PM

I would like to setup file system change monitoring on my Windows server (using fschange) where my users private folders reside (e.g. F:\MyUsers). I have configured the inputs.conf file on my server where Splunk is running. I restarted Splunk (also rebooted the Splunk server).

I then created a text file in my own folder (F:\MyUsers\myuserfolder). I also tried modifying an existing file in this folder. Splunk doesn't pick up my changes. However when I search the index where I'm placing these events I see events for a few users (e.g. F:\MyUsers\jdoefolder). I verified permissions. Administratively the permissions are the same across all folders.

Why would Splunk not index changes from all subfolders?

Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Branden
Builder
‎08-12-2010 08:27 PM

I am pretty new to fschange, but in your inputs.conf do you have "recurse=true" set? I'm guessing you do since it's picking up other users' changes, but I figure it's worth a shot!

View solution in original post

Reply
Solved! Jump to solution
Solution

Branden
Builder
‎08-12-2010 08:27 PM

I am pretty new to fschange, but in your inputs.conf do you have "recurse=true" set? I'm guessing you do since it's picking up other users' changes, but I figure it's worth a shot!

Reply
Solved! Jump to solution

snowmizer
Communicator
‎08-13-2010 03:28 PM

I went back and re-verified the permissions on the folders. Turns out we have two different administrative permissions set. When you first glance at them they look the same but they aren't.

Thanks for the reply.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...