There are lots of unknowns about your requirement such as data format or size, but here are some suggestions that may help. They are based on the assumption that the file is small and you can read the entire file contents into Splunk on a regular basis. Once the data is in Splunk, you can use standard tools to compare lines, but it would only really be a good use case for Splunk if the data structure is simple and changes easy to identify. Firstly the simplest option for a small file, is set up a script to read the contents on a regular basis - for example every hour, then once you have more than one copy of the file in Splunk, you can run a query to compare both versions. This will tell you what is different, but not what time it changed (only between the two collections) . Another script could just run a dir / ls command to show the file timestamp and collect that data if required. If you want to detect the exact time the file content changed and trigger something at that specific time, initCrcLength & crcSalt may help to read the contents on change, but it can be hit and miss depending on the type of change. One other option may be to use indexed_extrations. if the file is a structured format (xml / json / csv etc) - you can monitor the whole file and use the INDEXED_EXTRACTIONS and "CHECK_METHOD = modtime" options in a props.conf file on the collecting system. Every time the file mod time changes, it will re-read the whole file You now potentially have two copies in Splunk that are indexed with the timestamp of the file change (if the contents have timestamps, you may need to disable this on indexing). In addtion, you would want to separate each line of the file into a separate event in Splunk. You then search for all events from both versions of the file, you tag events from each version so you can determine which version it was from - For example we create a variable called "version" and set this to "old" if it is from the previous version and set the value to "new" if from the latest version. Then you merge all the events (i.e. lines from the file) into one table using stats and include all the values of "version" for each line. If the value of "version" for a line contains both "old" and "new", then you know that line is present in both versions and so has not changed. If it only contains "old" the line has been removed and if it only contains "new", you know it has been added. For "who" changed the file - you need to look at OS level auditing for that level of detail.
... View more