Solved: Re: What is the correct syntax to have fschange se...

nick085 · ‎10-09-2012

Will the following work:

[fschange:C:\Program Files\progam|D:\File\group]

Should replace "|" with "OR",or should i use "&" or "AND". I am trying to monitor file changes to multiple directories using a single fschange statement. I would prefer to not use multiple fschange statements requiring changes to the same attributes for each fschange. If boolean logic cannot be used, is there a way to use a function to define the attributes for fschange?

bmacias84 · ‎10-09-2012

I am sorry, but I dont believe Splunks allows you to perform boolean logic. If you like to use a single fschange entry will most likely have to use File system monitoring filters.



[fschange:/etc] 

filters = nothis,dothis 

[filter:blacklist:nothis] 

regex1 = .*bak

regex2 = .*bk

[filter:whitelist:dothis] 

regex1 = .\.c 

regex2 = .\.h

Using FSchange

View solution in original post

bmacias84 · ‎10-09-2012

I am sorry, but I dont believe Splunks allows you to perform boolean logic. If you like to use a single fschange entry will most likely have to use File system monitoring filters.



[fschange:/etc] 

filters = nothis,dothis 

[filter:blacklist:nothis] 

regex1 = .*bak

regex2 = .*bk

[filter:whitelist:dothis] 

regex1 = .\.c 

regex2 = .\.h

Using FSchange

What is the correct syntax to have fschange search multiple directories?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases