Are there any reason to setup both [monitor://]
and a [fschange:]
inputs for a single path? Are there any problems with doing this, and if not, what would be the advantages to such a configuration?
I ask this because I notice that Splunk's unix app does this in both Splunk 4.0.10 and Splunk 4.1.1.
Snipet from inputs.conf
:
[fschange:/etc] index=os pollPeriod = 300 fullEvent = true filesPerDelay=5 delayInMills=100 [monitor:///etc] _whitelist=(\.conf|\.cfg|config$|\.ini|\.init|\.cf|\.cnf|shrc$|^ifcfg|\.profile|\.rc|\.rules|\.tab|tab$|\.login|policy$) index=os
In 4.0, both of the inputs are enabled by default (once you enable the unix
app, of course). In 4.1 the unix
app has all inputs disabled by default (which is a more sane default, IMHO). Either way, both stanzas are there.
According to the docs for inputs.conf, this is not supported.
NOTE: You cannot simultaneously watch a directory using fs change monitor and monitor (above).
But, that said, the unix app does configure both inputs in spite of the docs saying it can't be done.
So, any idea on why this is done, what advantage it provides?
I think our preclusion of this behavior is basically stale. Given that we do it all over the place, and I think customers are doing it, it does work.