Getting Data In

fschange not picking up changes for all subfolders

snowmizer
SplunkTrust
SplunkTrust

I would like to setup file system change monitoring on my Windows server (using fschange) where my users private folders reside (e.g. F:\MyUsers). I have configured the inputs.conf file on my server where Splunk is running. I restarted Splunk (also rebooted the Splunk server).

I then created a text file in my own folder (F:\MyUsers\myuserfolder). I also tried modifying an existing file in this folder. Splunk doesn't pick up my changes. However when I search the index where I'm placing these events I see events for a few users (e.g. F:\MyUsers\jdoefolder). I verified permissions. Administratively the permissions are the same across all folders.

Why would Splunk not index changes from all subfolders?

Thanks.

Tags (1)
0 Karma
1 Solution

Branden
Builder

I am pretty new to fschange, but in your inputs.conf do you have "recurse=true" set? I'm guessing you do since it's picking up other users' changes, but I figure it's worth a shot!

View solution in original post

Branden
Builder

I am pretty new to fschange, but in your inputs.conf do you have "recurse=true" set? I'm guessing you do since it's picking up other users' changes, but I figure it's worth a shot!

snowmizer
SplunkTrust
SplunkTrust

I went back and re-verified the permissions on the folders. Turns out we have two different administrative permissions set. When you first glance at them they look the same but they aren't.

Thanks for the reply.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...