Getting Data In

fschange won't work

SplunkUser5888
Path Finder

Hey guys,

I've looked everywhere and as far as I could tell none of the other answers helped my problem. As you can guess I'm relatively new so go easy on me 😜

I've managed to get fschange to work with $splunkhome/etc (who hasn't right?) but when I change the directory to /home/administrator/Documents it doesn't work. I wanted to do this as a test to see if I could get fschange to work before sticking it to do the real work with actual files.

My problem is i've tried everything I know (which isn't much) I've even done a search

index=_internal source="splunkd.log3 /documents

to see if it there were any reported problems in the logs ... nothing

here is my code, I know it's probable obvious where I went wrong, but I would really appreciate any help yuo could give me, thanks

[default]
host = ubuntu-splunk

[fschange:/home/administrator/Documents]
index = _audit
recurse = true
followLinks = false
signedaudit = false
fullEvent = true
sendEventMaxSize = 1048576
delayInMills = 1000

in the inputs.conf in /etc/system/local

Tags (1)
0 Karma
1 Solution

SplunkUser5888
Path Finder

I've solved it, I think I had conflicts so I changed inputs.conf completely.

[default]
host = ubuntu-splunk
[fschange:/home/administrator/Documents/]
index = main
signedaudit = false
pollPeriod = 1
hashMaxSize = 10485760
fullEvent = true

and now I find my changes/adds/deletes when I search

index=main sourceype="fs_notification"

View solution in original post

SplunkUser5888
Path Finder

I've solved it, I think I had conflicts so I changed inputs.conf completely.

[default]
host = ubuntu-splunk
[fschange:/home/administrator/Documents/]
index = main
signedaudit = false
pollPeriod = 1
hashMaxSize = 10485760
fullEvent = true

and now I find my changes/adds/deletes when I search

index=main sourceype="fs_notification"

MuS
SplunkTrust
SplunkTrust

then I come back with my initial comment; does the user running splunkd have permission to read in /home/administrator/Documents ?

0 Karma

SplunkUser5888
Path Finder

thanks for that, yeah it is basically like that except that instead of blanks on the return lines, i added #

0 Karma

Ayn
Legend

In your inputs.conf you specify that the fschange events should be written to the index _audit, but in your search you're looking in the index _internal...

Ayn
Legend

Excellent that you solved it 🙂

0 Karma

SplunkUser5888
Path Finder

hey, sorry I didn't see your reply, I've solved it, either my config was right and I was looking in the wrong place or I got the wrong config, but the one I wrote in the answer I gave works just fine. Thanks for your help though.

0 Karma

Ayn
Legend

Well as far as I can tell the config you pasted looks OK. I could try with your exact settings later on and see what the results are.

0 Karma

SplunkUser5888
Path Finder

Hey, I tested the setup after making Splunk user have admin privileges and restarted, ran again and nothing. I still can't find any errors in the log, and I still can't find the input when I add, change or delete a file / folder in the /Documents section

0 Karma

SplunkUser5888
Path Finder

the search brings back some http requests and the old errors I made before changing the syntax to how you see it now. As for the user, it was a normal user which i've now changed to admin, I will be starting a conference in a minute so I will test it tomorrow and get back to you, thanks for the help though

0 Karma

Ayn
Legend

Ah, sorry, I misread - I thought you were looking for the actual events in _internal. Does a search for index=_internal fschange show anything interesting?

Also does the user Splunk is running as have read access to the directory you're wanting to run fschange on?

SplunkUser5888
Path Finder

I thought that's what you type to get infor on the splunkd logs, when I change to _audit, I get no results, where as when I keep _internal, I get the errors I had with my previous syntax show up, but it doesn't show any errors since the ones I fixed, but still, no results

0 Karma

Ayn
Legend

I fixed your formatting a bit - is this how your config files look like?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...