Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- some questions about
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I am a beginner in splunk. I started implementing an enterprise splunk. At present from splunk I need monitoring of files, the register and logs, and some perfmon counters. But I met difficulties. I nave:
1) FileSystem monitoring:
[fschange:C:\Windows\System32]
pollPeriod = 3600
index = fschange
filters = ignore_logs
signedaudit = false
hashMaxSize = 104857600
recurse = true
followLinks = false
fullEvent = false
sendEventMaxSize = -1
filesPerDelay = 100
delayInMills = 1000
But when I create the directory (file), or I delete, splunk doesn't report to me about it.
2) Monitoring free space
[perfmon://LocalPhysicalDisk]
interval = 300
object = PhysicalDisk
counters = % Free Space; Free Megabytes
disabled = 0
instances = *
index = perfmon
It at all doesn't work.
3) Monitoring windows registry
[WinRegMon://RegistryMonitor]
baseline = 0
disabled = 0
hive = \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\?.*
proc = C:\\.*
index = winreg
type = rename|set|delete|create
It at all doesn't work.
Can you help me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
On first look perfmon object is wrong. Physical Disk doesn't have those counters, Logical disk has.
[perfmon://LocalPhysicalDisk]
interval = 300
object = LogicalDisk
counters = % Free Space; Free Megabytes
disabled = 0
instances = *
index = perfmon
Regmon you have provided path in "proc" rather than the process name.
Use Monitor instead of fschange which is depreciated. But you need to put more logic to find out the file creation and deletion.
More details you can refer this:
http://docs.splunk.com/Documentation/Splunk/6.0.2/admin/inputsconf
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
On first look perfmon object is wrong. Physical Disk doesn't have those counters, Logical disk has.
[perfmon://LocalPhysicalDisk]
interval = 300
object = LogicalDisk
counters = % Free Space; Free Megabytes
disabled = 0
instances = *
index = perfmon
Regmon you have provided path in "proc" rather than the process name.
Use Monitor instead of fschange which is depreciated. But you need to put more logic to find out the file creation and deletion.
More details you can refer this:
http://docs.splunk.com/Documentation/Splunk/6.0.2/admin/inputsconf
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, at last I made the register monitoring. It is necessary to set up monitoring of file system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, the first issue is resolved. I read input.conf, but didn't find specific examples about registry and monitoring of file system with a hash with monitor
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
