I have a few issues when trying to use fschange.
even though fullEvent = true & sendEventMaxSize = -1, I am still getting one line per event/file.
even though I have souretype = changed_files, I am getting other sourcetypes. (I get csv-2 for CSV files, conf-too_small, etc). I do get changed_files when source=fschangemonitor, but not when I look for the changes to the files themselves
Even though I have whitelist/blacklist, I am still getting files that are not listed in whitelist (e.g. path="/opt/splunk/etc/system/local/.inputs.conf.swp or web.conf.old")
trying to monitor /opt/splunk/etc/system/local & /opt/splunk/etc/system/local/authentication with one directory.
I have reviewed the following pages, and they seem to contradict each other in the format for placement of options and stanza order. http://www.splunk.com/base/Documentation/latest/AppManagement/Configurationmonitoring http://www.splunk.com/base/Documentation/latest/Admin/Monitorchangestoyourfilesystem
[fschange:/opt/splunk/etc/system/local] sourcetype = changed_files index = test filters = configs,terminal-blacklist recurse = true followLinks = false signedaudit = false pollPeriod=30 fullEvent = true sendEventMaxSize = -1 delayInMills = 1000 [filter:whitelist:configs] regex1 = \.conf$ regex2 = \.py$ regex3 = \.csv$ regex4 = authentication [filter:blacklist:terminal-blacklist] regex1 = .?
I removed regex4, and that seemed to fix the issue with blacklisted files getting indexed (authentication is a directory I have under system/local). I may just have to do multiple fschange stanzas
When I removed all filters, Splunk indexed "README" file, that showed up all in one event and with the sourcetype=misc_text.
So, it seems that if the sourcetype is csv-*, or *toosmall, it won't put it all in one event.
I am getting fields that include files that a) are not in the whitelist, b) have not been deleted (or changed)
The fschange part of the stanza is now:
index = test
filters = configs,terminal-blacklist
recurse = true
delayInMills = 1000
Wed Nov 3 18:00:01 2010 action=delete, path="/opt/splunk/etc/system/local/web.conf-taw"
Wed Nov 3 18:00:01 2010 action=delete, path="/opt/splunk/etc/system/local/transforms.conf.bak"
Wed Nov 3 18:00:01 2010 action=delete, path="/opt/splunk/etc/system/local/props.conf.bak"
This has been reported to support and is a known issue in 4.1.4 +.
See the following: splunk.com/base/Documentation/4.1.4/ReleaseNotes
You may be able to workaround this by creating a whitelist that excludes explicitly the files you'd normally blacklist.