Getting Data In

What is the procedure to monitor changes to file content?

nagarajugowdkal
New Member

Hi,

What is the procedure to monitor changes to file content? As per knowledge we can add some parameters to props.conf file.

Can anyone please provide step by step procedure to achieve this?

0 Karma

ChrisG
Splunk Employee
Splunk Employee

There is detailed documentation about how to Monitor files and directories in the Getting Data In manual. Here is the link to the procedure to do it from Splunk Web. If you can pose a more specific question, the community can probably help you better.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Without much details, I would suggest to see these links.

File monitoring in Splunk
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Monitorfilesanddirectories

File system change monitoring in Splunk
https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Monitorchangestoyourfilesystem

0 Karma

nagarajugowdkal
New Member

HI,

i have added below in inputs.conf file

it is not showing the changes after updating sample.conf file and using below search command

index=file_monitor sourcetype=fschange | diff diffheader=true | highlight +,-

inputs.conf

[fschange://home/splunk/config]
disabled = 0
host = 12b8-spnfwd03
index = file_monitor
recurse = true
pollPeriod = 1
fullEvent = true
sendEventMaxSize = -1
hashMaxSize = 99999999
sourcetype = fschange

[monitor:///home/splunk/config/sample.conf]
followTail = 0
host = 12b8-spnfwd03
disabled = false
index = file_monitor
sourcetype = fschange
0 Karma

ddrillic
Ultra Champion

What do you mean by saying? -

-- What is the procedure to monitor changes to file content?

Are you speaking about log files? anything else...

0 Karma

nagarajugowdkal
New Member

Hi,
i am talking about configuration file say like sample.conf and having content like below

how can i monitor and display if something is modified on below content

VirtualToken = {
   VirtualToken00Label = HA_hktl;
   VirtualToken00SN = 1157803010;
   VirtualToken00Members = 157803010,155322014;
}
HASynchronize = {
   HA_HOL = 1;
}
HAConfiguration = {
   HAOnly = 1;
   haLogPath = /apps/hktl;
   logLen = 262144;
   haLogStatus = enabled;
   reconnAtt = 5;
}
hktl = {
  DefaultTimeOut = 200000;
  PEDTimeout1 = 100000;
  PEDTimeout2 = 100000;
  PEDTimeout3 = 10000;
  KeypairGenTimeOut = 3700000;
  CloningCommandTimeOut = 300000;
}
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...