I want to monitor entire Disk Drives and blacklist all .log files recursively using fschange. The only way I can see to do this is to specify the specific directories containing these files using ... (ex ...\...\...\
*.log). Is there a way to do this without making separate regex's for each directory being monitored?
The use case you describe isn't support for fschange, it wasn't designed to be used in the manner you describe. Using it in this manner will result in so much data that it'll end up being useless to you. Beyond that, you can't use monitored inputs on the same folder that you'd do fschange on, so the entire disk would be off limits for any monitor stanzas. You should leverage operating system tools to track changes to files and then index that data in Splunk.
[filter:
* Define a filter of type
*
* Filter types are either 'blacklist' or 'whitelist.'
* A whitelist filter processes all file names that match the regex list.
* A blacklist filter skips all file names that match the regex list.
*
* The filter name is used in the comma-separated list when defining a file system monitor.
So, yes, you can use fschange recursively, and you can use filters with it. inputs.conf.spec shows:
recurse = [true|false] If true, recurse directories within the directory specified in [fschange]. Defaults to true.
Thanks for the reply. I understand, no need to monitor the entire drive - just would make it easier. I need to monitor application folders though and still need to know if it's possible to blacklist a filetype recursively in the folder I specify. I do not want to list every separate folder in the configuration.
See this link as a better way to use Splunk to monitor Windows changes:
http://splunk-base.splunk.com/answers/5975/performance-impact-of-fschange-on-c:\windows