What is the best way (globally for all apps) to detect and report on either the creation of a new file in a /appname/local/ directory of an app OR when a file has been updated within a local directory of an app. Thanks!
@scelikok - Thanks again! The File Config Quest dashboard seems to have the se searches closest to what is needed.
Still trying to figure out if it is possible to wildcard part of a rest search
For example:
| rest splunk_server=local /services/-/-/admin/file-explorer/%2Fopt%2Fsplunk%2Fetc%2Fapps%2F<app_name>%2Flocal
is there a way to wildcard the app_name <-- when specifying a specific app name the above search works
Unfortunately, AFAIK I think Splunk REST does not allow it.
Hi @jaburke1,
You can try Config Quest app on Splunkbase.
https://splunkbase.splunk.com/app/3696/#/details
@scelikok - thanks! I'll give that a try!