Solved: FSChange: fullEvent=true but no full event?

muebel · ‎09-21-2010

I have a fschange stanza configured as such

[fschange:/path/to/file]
disabled = false
pollPeriod = 300
fullEvent = true
hashMaxSize = 65535

It seems to be detecting changes to this file, but doesn't include the file as I am expecting fullEvent = true would do. What am I missing?

Simeon · ‎09-21-2010

If something changed, you should see the file displayed depending on the search criteria. The best way to find it would be to search for:

index=* source=/path/to/file*

I would be curious to know the exact fschangemonitor output when you run your initial search. Additionally, you may have the sendEventMaxSize set to something too low. If you set it to -1 under the stanza, it should pick up the file:

sendEventMaxSize=-1

View solution in original post

Simeon · ‎09-21-2010

If something changed, you should see the file displayed depending on the search criteria. The best way to find it would be to search for:

index=* source=/path/to/file*

I would be curious to know the exact fschangemonitor output when you run your initial search. Additionally, you may have the sendEventMaxSize set to something too low. If you set it to -1 under the stanza, it should pick up the file:

sendEventMaxSize=-1

muebel · ‎09-21-2010

I misunderstood how this was working out... did a search for the file as a source, and was able to see the full file there.

muebel · ‎09-21-2010

sendEventMaxSize defaults to -1

FSChange: fullEvent=true but no full event?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio