Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

fschange not picking up changes for all subfolders

snowmizer
Communicator
‎07-12-2010 07:38 PM

I would like to setup file system change monitoring on my Windows server (using fschange) where my users private folders reside (e.g. F:\MyUsers). I have configured the inputs.conf file on my server where Splunk is running. I restarted Splunk (also rebooted the Splunk server).

I then created a text file in my own folder (F:\MyUsers\myuserfolder). I also tried modifying an existing file in this folder. Splunk doesn't pick up my changes. However when I search the index where I'm placing these events I see events for a few users (e.g. F:\MyUsers\jdoefolder). I verified permissions. Administratively the permissions are the same across all folders.

Why would Splunk not index changes from all subfolders?

Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Branden
Builder
‎08-12-2010 08:27 PM

I am pretty new to fschange, but in your inputs.conf do you have "recurse=true" set? I'm guessing you do since it's picking up other users' changes, but I figure it's worth a shot!

View solution in original post

Reply
Solved! Jump to solution
Solution

Branden
Builder
‎08-12-2010 08:27 PM

I am pretty new to fschange, but in your inputs.conf do you have "recurse=true" set? I'm guessing you do since it's picking up other users' changes, but I figure it's worth a shot!

Reply
Solved! Jump to solution

snowmizer
Communicator
‎08-13-2010 03:28 PM

I went back and re-verified the permissions on the folders. Turns out we have two different administrative permissions set. When you first glance at them they look the same but they aren't.

Thanks for the reply.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...