Getting Data In

fschange output

heterodyned
Path Finder

I have set up the following fschange for a test, in a test-box

[filter:blacklist:sys-folder-blacklist]
regex1=/sys/block/*
regex2=/sys/devices/system/*
regex3=/sys/module/*
regex4=/sys/devices/platform/*

[fschange:/sys]
index = _audit
sourcetype = fschange
signedaudit = false
sendEventMaxSize = -1
recurse = true
disabled = false
pollPeriod = 86400
filesPerDelay = 10
delayInMills = 100
followLinks = false
fullEvent = false
hashMaxSize = -1
filters=sys-folder-blacklist

It still shows me some events with path related to the black list filter and the action is action=delete-parent

Could someone explain me, if this takes place only for the initial indexing?

-raghu

Tags (1)
0 Karma

Takajian
Builder

I also have faced same issue before, and I have heard from support team that there is known issue when we use blacklist. So, you may need to ask support team to solve the issue.

0 Karma

heterodyned
Path Finder

Oh is it? could it be the regex in use that maybe causing these delete events? I shall get in touch with the support team to verify, I did observe that after the delete events, the implemented black-list filter works fine. Thanks Sasaki I shall get in touch with support team to resolve this issue 🙂

0 Karma

balt
New Member

I am having a similar issue and would like to see a response. Anyone?

0 Karma

heterodyned
Path Finder

Balt,
I havent yet received a response on why those events come in, but after you implement the filters, it does show events of action=delete only once after the fil4ers are applied. I presume it is remove those indexing IDs from splunk which was previously created for the particular path

0 Karma

heterodyned
Path Finder

Update...the filters dont seem to work, they are still indexing data from those folders

0 Karma

heterodyned
Path Finder

Also I forgot to say that,

I have two copies of the input.conf one in etc/system/local
and other in /etc/apps/search/local

Is it because it cud be passing the search due to precedence?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...