Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- fschange output
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fschange output
I have set up the following fschange for a test, in a test-box
[filter:blacklist:sys-folder-blacklist]
regex1=/sys/block/*
regex2=/sys/devices/system/*
regex3=/sys/module/*
regex4=/sys/devices/platform/*
[fschange:/sys]
index = _audit
sourcetype = fschange
signedaudit = false
sendEventMaxSize = -1
recurse = true
disabled = false
pollPeriod = 86400
filesPerDelay = 10
delayInMills = 100
followLinks = false
fullEvent = false
hashMaxSize = -1
filters=sys-folder-blacklist
It still shows me some events with path related to the black list filter and the action is action=delete-parent
Could someone explain me, if this takes place only for the initial indexing?
-raghu
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also have faced same issue before, and I have heard from support team that there is known issue when we use blacklist. So, you may need to ask support team to solve the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh is it? could it be the regex in use that maybe causing these delete events? I shall get in touch with the support team to verify, I did observe that after the delete events, the implemented black-list filter works fine. Thanks Sasaki I shall get in touch with support team to resolve this issue 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having a similar issue and would like to see a response. Anyone?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Balt,
I havent yet received a response on why those events come in, but after you implement the filters, it does show events of action=delete only once after the fil4ers are applied. I presume it is remove those indexing IDs from splunk which was previously created for the particular path
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update...the filters dont seem to work, they are still indexing data from those folders
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also I forgot to say that,
I have two copies of the input.conf one in etc/system/local
and other in /etc/apps/search/local
Is it because it cud be passing the search due to precedence?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
