Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde commented on Michael Wilde's video
Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,
Glad to have another Splunker. I've been useing Splunk for 2 years and am hooked. I leared how to spell splunk and | transaction too. you'll learn that one soon.
Go over to Splunk…
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!
The team that found them must have special bat senses and highly tooned Splunking skills
I like to wear Extra Lovable…
Stefan Baryakov's Discussions
fschange - change detection criteria
2 Replies
Hi All,How to only send the full event in case of user/group or hash change but not time change of file in the scope of fschange?As…Continue
Started this discussion. Last reply by Stefan Baryakov Jan 12, 2010.
Stefan Baryakov's Page
Gifts Received
Stefan Baryakov has not received any gifts yet
Latest Activity
Stefan Baryakov replied to Stefan Baryakov's discussion 'fschange - change detection criteria'
Hi Michael,
Thanks for the response. The file is just being touched, as open and saved without being changed.
The hash in splunk desn't change however the complete file is indexed. When the files are really changed the hash changes and the…
Michael Wilde replied to Stefan Baryakov's discussion 'fschange - change detection criteria'
Stefan..
What is happening to the file? Is someone opening the file and saving it, so the modtime's getting updated? Or is someone just reading the file?
Also.. which OS is it on?
fschange - change detection criteria
Hi All,How to only send the full event in case of user/group or hash change but not time change of file in the scope of fschange?As example:[fschange:/etc/config.cfg]fullEvent=truesendEventMaxSize=-1Now every time the file is touched, even without change, the complete content of the file is indexed.In other words how to configure the [fschange] not to send ‘fullEvent’ in case of modtime change alone.Thank you.BR,StefanSee More
Discussion posted by Stefan Baryakov
Michael Wilde left a comment for Stefan Baryakov
Stefan..
Thanks for signing up. I set up this site so we can freely share, discuss, ask questions, post videos.. whatever. Ask hard questions, and we'll try to get them answered.
Michael Wilde
Splunk Ninja
Profile Information
- Are you an existing splunk user?
- Licensed
- What do you do for your day job?
- n/a
Comment Wall (1 comment)
- At 8:16pm on January 7, 2010,
Michael Wilde said…
- Stefan..
Thanks for signing up. I set up this site so we can freely share, discuss, ask questions, post videos.. whatever. Ask hard questions, and we'll try to get them answered.
Michael Wilde
Splunk Ninja
© 2012 Created by Michael Wilde.
