I have a file being monitored by universal forwarder and being indexed. can I monitor changes to the file. I do the new change will be indexed into Splunk.
But can we track if a user has removed a particular line, which user has made that change.
a good example would be a configuration file..What if a line was removed or added. can we track which user made the change or when it was removed or added.
Hi There,
There is a deprecated input method called "fschange" that monitors for file system changes which may provide what you are looking for, as I said it is being deprecated but still currently works for us, example inputs below:
[fschange:\YOUR_FILE_PATH]
fullEvent=true
pollPeriod=3600
recurse=true
sendEventMaxSize=100000
signedaudit=false
disabled=0