Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- fschange output
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fschange output
heterodyned
Path Finder
07-11-2010
08:33 AM
I have set up the following fschange for a test, in a test-box
[filter:blacklist:sys-folder-blacklist]
regex1=/sys/block/*
regex2=/sys/devices/system/*
regex3=/sys/module/*
regex4=/sys/devices/platform/*
[fschange:/sys]
index = _audit
sourcetype = fschange
signedaudit = false
sendEventMaxSize = -1
recurse = true
disabled = false
pollPeriod = 86400
filesPerDelay = 10
delayInMills = 100
followLinks = false
fullEvent = false
hashMaxSize = -1
filters=sys-folder-blacklist
It still shows me some events with path related to the black list filter and the action is action=delete-parent
Could someone explain me, if this takes place only for the initial indexing?
-raghu
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Takajian
Builder
11-25-2010
12:26 AM
I also have faced same issue before, and I have heard from support team that there is known issue when we use blacklist. So, you may need to ask support team to solve the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
heterodyned
Path Finder
11-25-2010
07:28 AM
Oh is it? could it be the regex in use that maybe causing these delete events? I shall get in touch with the support team to verify, I did observe that after the delete events, the implemented black-list filter works fine. Thanks Sasaki I shall get in touch with support team to resolve this issue 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
balt
New Member
11-10-2010
11:20 PM
I am having a similar issue and would like to see a response. Anyone?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
heterodyned
Path Finder
11-11-2010
10:56 AM
Balt,
I havent yet received a response on why those events come in, but after you implement the filters, it does show events of action=delete only once after the fil4ers are applied. I presume it is remove those indexing IDs from splunk which was previously created for the particular path
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
heterodyned
Path Finder
07-12-2010
02:20 PM
Update...the filters dont seem to work, they are still indexing data from those folders
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
heterodyned
Path Finder
07-11-2010
08:35 AM
Also I forgot to say that,
I have two copies of the input.conf one in etc/system/local
and other in /etc/apps/search/local
Is it because it cud be passing the search due to precedence?
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
