Getting Data In

fschange output

Path Finder

I have set up the following fschange for a test, in a test-box

[filter:blacklist:sys-folder-blacklist]
regex1=/sys/block/*
regex2=/sys/devices/system/*
regex3=/sys/module/*
regex4=/sys/devices/platform/*

[fschange:/sys]
index = _audit
sourcetype = fschange
signedaudit = false
sendEventMaxSize = -1
recurse = true
disabled = false
pollPeriod = 86400
filesPerDelay = 10
delayInMills = 100
followLinks = false
fullEvent = false
hashMaxSize = -1
filters=sys-folder-blacklist

It still shows me some events with path related to the black list filter and the action is action=delete-parent

Could someone explain me, if this takes place only for the initial indexing?

-raghu

Tags (1)
0 Karma

Builder

I also have faced same issue before, and I have heard from support team that there is known issue when we use blacklist. So, you may need to ask support team to solve the issue.

0 Karma

Path Finder

Oh is it? could it be the regex in use that maybe causing these delete events? I shall get in touch with the support team to verify, I did observe that after the delete events, the implemented black-list filter works fine. Thanks Sasaki I shall get in touch with support team to resolve this issue 🙂

0 Karma

New Member

I am having a similar issue and would like to see a response. Anyone?

0 Karma

Path Finder

Balt,
I havent yet received a response on why those events come in, but after you implement the filters, it does show events of action=delete only once after the fil4ers are applied. I presume it is remove those indexing IDs from splunk which was previously created for the particular path

0 Karma

Path Finder

Update...the filters dont seem to work, they are still indexing data from those folders

0 Karma

Path Finder

Also I forgot to say that,

I have two copies of the input.conf one in etc/system/local
and other in /etc/apps/search/local

Is it because it cud be passing the search due to precedence?

0 Karma