Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can we track changes to a file

johnsasikumar
Path Finder
‎06-19-2019 10:55 PM

I have a file being monitored by universal forwarder and being indexed. can I monitor changes to the file. I do the new change will be indexed into Splunk.
But can we track if a user has removed a particular line, which user has made that change.
a good example would be a configuration file..What if a line was removed or added. can we track which user made the change or when it was removed or added.

Tags (1)
0 Karma
Reply

paulbannister
Communicator
‎06-20-2019 06:54 AM

Hi There,

There is a deprecated input method called "fschange" that monitors for file system changes which may provide what you are looking for, as I said it is being deprecated but still currently works for us, example inputs below:

[fschange:\YOUR_FILE_PATH]
fullEvent=true
pollPeriod=3600
recurse=true
sendEventMaxSize=100000
signedaudit=false
disabled=0

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...