Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- fschange output
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fschange output
heterodyned
Path Finder
07-11-2010
08:33 AM
I have set up the following fschange for a test, in a test-box
[filter:blacklist:sys-folder-blacklist]
regex1=/sys/block/*
regex2=/sys/devices/system/*
regex3=/sys/module/*
regex4=/sys/devices/platform/*
[fschange:/sys]
index = _audit
sourcetype = fschange
signedaudit = false
sendEventMaxSize = -1
recurse = true
disabled = false
pollPeriod = 86400
filesPerDelay = 10
delayInMills = 100
followLinks = false
fullEvent = false
hashMaxSize = -1
filters=sys-folder-blacklist
It still shows me some events with path related to the black list filter and the action is action=delete-parent
Could someone explain me, if this takes place only for the initial indexing?
-raghu
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Takajian
Builder
11-25-2010
12:26 AM
I also have faced same issue before, and I have heard from support team that there is known issue when we use blacklist. So, you may need to ask support team to solve the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
heterodyned
Path Finder
11-25-2010
07:28 AM
Oh is it? could it be the regex in use that maybe causing these delete events? I shall get in touch with the support team to verify, I did observe that after the delete events, the implemented black-list filter works fine. Thanks Sasaki I shall get in touch with support team to resolve this issue 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
balt
New Member
11-10-2010
11:20 PM
I am having a similar issue and would like to see a response. Anyone?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
heterodyned
Path Finder
11-11-2010
10:56 AM
Balt,
I havent yet received a response on why those events come in, but after you implement the filters, it does show events of action=delete only once after the fil4ers are applied. I presume it is remove those indexing IDs from splunk which was previously created for the particular path
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
heterodyned
Path Finder
07-12-2010
02:20 PM
Update...the filters dont seem to work, they are still indexing data from those folders
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
heterodyned
Path Finder
07-11-2010
08:35 AM
Also I forgot to say that,
I have two copies of the input.conf one in etc/system/local
and other in /etc/apps/search/local
Is it because it cud be passing the search due to precedence?
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
