*NIX App File Diff

cvajs · ‎03-14-2012

i installed the *NIX App, then i chose to monitor /etc of the linux Splunk is installed on. i tested it, modified a junk.conf file 8 times within 15min period. the *NIX App says there were 8 changes but when i click the file path it opens the Search with a Diff in there but the results are null. why? i am doing this as Admin and the OS index is in my default search for the role, etc.

araitz · ‎03-14-2012

This is almost certainly SPL-44701, which will be fixed in the next release of the unix app.

There isn't an easy workaround for now (the fix is to change intentions behavior via application.js), but I think if you change the drilldown search from:

index=os | diff pos1=1 pos2=2 | search source="junk.conf"

to:

index=os source="junk.conf" | diff pos1=1 pos2=2

you should get the expected results.

cvajs · ‎03-15-2012

also, there are more problems with this app. i goto Configs >>> Config Files Overview, then on left i change to a Count sort, find the file i am interested in, click it, a search opens but finds nothing, there's a quoting problem, after i click the file i want the serach adds a space between last char of file and ending quote, i get no results, but if i remove the space the search works. in fact, this quoting problem exists when any click opens the search in this app, etc.

cvajs · ‎03-14-2012

ok, i will try this new search manually.

*NIX App File Diff

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases