I am trying to set up Splunk to effectively monitor changes to the filesystem, in particular the /etc/ directory. My goal is to have a search view that catches all these changes without many repeats or false positives.
Yesterday on one machine (Linux Mint), I installed Splunk for *nix, and the configuration page lists /etc as an input. Today, I installed the same app on Ubuntu, where /etc was not listed as an input. I can't find where to modify these inputs in the app, but I must have done so yesterday and can't figure out how again today or something. This is the only difference between the two config pages.
SOLUTION: I figured it out. I had already created an /etc search outside of the app, and the app would have had to override that when adding its own /etc input and wisely chose not to do so.