I have set up the following fschange for a test, in a test-box
[filter:blacklist:sys-folder-blacklist] regex1=/sys/block/* regex2=/sys/devices/system/* regex3=/sys/module/* regex4=/sys/devices/platform/* [fschange:/sys] index = _audit sourcetype = fschange signedaudit = false sendEventMaxSize = -1 recurse = true disabled = false pollPeriod = 86400 filesPerDelay = 10 delayInMills = 100 followLinks = false fullEvent = false hashMaxSize = -1 filters=sys-folder-blacklist
It still shows me some events with path related to the black list filter and the action is action=delete-parent
Could someone explain me, if this takes place only for the initial indexing?
Oh is it? could it be the regex in use that maybe causing these delete events? I shall get in touch with the support team to verify, I did observe that after the delete events, the implemented black-list filter works fine. Thanks Sasaki I shall get in touch with support team to resolve this issue 🙂
I havent yet received a response on why those events come in, but after you implement the filters, it does show events of action=delete only once after the fil4ers are applied. I presume it is remove those indexing IDs from splunk which was previously created for the particular path
Also I forgot to say that,
I have two copies of the input.conf one in etc/system/local
and other in /etc/apps/search/local
Is it because it cud be passing the search due to precedence?