Are there any reasons to setup both monitor and fs...

Lowell · ‎04-29-2010

Are there any reason to setup both [monitor://] and a [fschange:] inputs for a single path? Are there any problems with doing this, and if not, what would be the advantages to such a configuration?

I ask this because I notice that Splunk's unix app does this in both Splunk 4.0.10 and Splunk 4.1.1.

Snipet from inputs.conf:

[fschange:/etc]
index=os
pollPeriod = 300
fullEvent = true
filesPerDelay=5
delayInMills=100

[monitor:///etc]
_whitelist=(\.conf|\.cfg|config$|\.ini|\.init|\.cf|\.cnf|shrc$|^ifcfg|\.profile|\.rc|\.rules|\.tab|tab$|\.login|policy$)
index=os

In 4.0, both of the inputs are enabled by default (once you enable the unix app, of course). In 4.1 the unix app has all inputs disabled by default (which is a more sane default, IMHO). Either way, both stanzas are there.

dwaddle · ‎04-29-2010

According to the docs for inputs.conf, this is not supported.

NOTE: You cannot simultaneously watch a directory using fs change monitor and monitor (above).

But, that said, the unix app does configure both inputs in spite of the docs saying it can't be done.

Lowell · ‎05-05-2010

So, any idea on why this is done, what advantage it provides?

jrodman · ‎05-05-2010

I think our preclusion of this behavior is basically stale. Given that we do it all over the place, and I think customers are doing it, it does work.

Are there any reasons to setup both monitor and fschange on the same path?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases