Videos

  • Add Videos
  • View All

Latest Activity

Profile Icon
Greg Vallenari is now a member of splunkninja Sunday
Welcome Them!
Profile Icon
Mike Hartford commented on Michael Wilde's video
Got it thanks
Thumbnail

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Feb 8
Profile Icon
Michael Wilde commented on Michael Wilde's video
Sure...  When you do group mapping, map them to groups that don't have the domain admins in them.  I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Thumbnail

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Feb 8
Profile Icon
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk.  Can I keep the domain admins out of Splunk if I have LDAP authentication???
Thumbnail

Splunk Ninja - Basic Training: Splunk & LDAP Authentication

Feb 7
Profile Icon
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,   Glad to have another Splunker.  I've been useing Splunk for 2 years and am hooked.  I leared how to spell splunk and | transaction too.  you'll learn that one soon.   Go over to Splunk…
Feb 7
Profile Icon
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
  Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!   The team that found them must have special bat senses and highly tooned Splunking skills   I like to wear Extra Lovable…
Feb 7
Profile Icon
Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
Status posted by Jonathan Hawes Feb 7
0 Comments
Profile Icon
Jonathan Hawes is now a member of splunkninja Feb 7
Welcome Them!
Stefan Baryakov

fschange - change detection criteria

Hi All,

How to only send the full event in case of user/group or hash change but not time change of file in the scope of fschange?
As example:
[fschange:/etc/config.cfg]
fullEvent=true
sendEventMaxSize=-1
Now every time the file is touched, even without change, the complete content of the file is indexed.
In other words how to configure the [fschange] not to send ‘fullEvent’ in case of modtime change alone.

Thank you.
BR,
Stefan

Views: 54

Reply to This

Replies to This Discussion

Michael WildePermalink Reply by Michael Wilde on January 11, 2010 at 4:50pm
Stefan..

What is happening to the file? Is someone opening the file and saving it, so the modtime's getting updated? Or is someone just reading the file?

Also.. which OS is it on?
Stefan BaryakovPermalink Reply by Stefan Baryakov on January 12, 2010 at 6:03am
Hi Michael,

Thanks for the response. The file is just being touched, as open and saved without being changed.
The hash in splunk desn't change however the complete file is indexed. When the files are really changed the hash changes and the file is indexed again.
My objective is to have the files indexed only when there is change in the content (hash)
The OS is AIX.

Regards,
Stefan

RSS

© 2012   Created by Michael Wilde.

Badges  |  Report an Issue  |  Terms of Service