Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: fschange with universal Forwarder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey guys, I've seen a couple of similar questions to mine but nothing has helped. I have a very simple edit in the inputs.conf of my Universal Forwarder on a Windows Server.
It has in it;
[default]
host = server2003-splu
[fschange:C:\Program Files\]
index = _audit
signedaudit = false
#pollPeriod = 1
#hashMaxSize = 10485760
#fullEvent = true
[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 0
Any reason why when i do a search
index=_audit sourcetype=fs_notification host=server2003-splu
it doesn't come back with anything even after adding, changing and deleting files and folders in the Program Files directory?
Thanks for any help you can give me
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works now. Same config, same search nothing changed. It was a stupid mistake after all, the Universal Forwarder was not being restarted properly.
Answer:
Make sure you restart the server properly
C:\Program Files\SplunkUniversalForwarder\bin>splunk.exe restart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works now. Same config, same search nothing changed. It was a stupid mistake after all, the Universal Forwarder was not being restarted properly.
Answer:
Make sure you restart the server properly
C:\Program Files\SplunkUniversalForwarder\bin>splunk.exe restart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry, I didn't mean to sound pushy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your question was posted only an hour ago. You can't expect people doing this on their spare time to always see and respond to the question immediately...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The sourcetype should be fs_notification, not fs_notifications. Also you have a typo in the stanza below (diasbled instead of disabled), though that shouldn't affect the fschange stanza.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, thanks for your answer, but that's a typo on my behalf, any query I use to search does not bring any results (I'll edit the question with the right search parameters though thanks for pointing it out)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No one knows how I can change my file to make it work? I don't mind rewriting it if someone thinks it needs to be changed completely
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
