I got quite some events coming in, so exemplarily I copied two, one with action=add and one with action=delete
Interesting enough the add / update events are correctly classified and the sourcetype matches the app, but for the delete events, the sourcetyp does not match the app and I don't actually see a reason why.
Maybe anybody has an idea on what might be the issue ?
Events
7/31/13 11:03:50.610 AM
Wed Jul 31 11:03:50 2013 action=delete, path="/opt/appA/config/resource/file"
host=host1 sourcetype=appB source=fschangemonitor index=core action=delete
Wed Jul 31 11:11:56 2013 action=add, path="/opt/appA/config/resource/file", isdir=0, size=1199, gid=5340, uid=5340, modtime="Thu Jun 13 10:51:58 2013", mode="r--r-----", hash=W0ReV7n8TIIUmccmbIX4xHHPiWHNNH2j1HQ3PK0qlqg=
host=host1 sourcetype=appA source=fschangemonitor index=core action=add
inputs.conf
[fschange:/opt/config/AppAsomename/resource]
index=core
followLinks=false
recurse=true
pollPeriod=60
hashMaxSize=100000000
fullEvent=true
sourcetype= appAsomename
Props.conf
[source::/opt/config/AppAsomename/resource/...]
LEARN_SOURCETYPE=false
LEARN_MODEL=false
sourcetype= appAsomename
inputs.conf
[fschange:/opt/config/AppA/resource]
index=core
followLinks=false
recurse=true
pollPeriod=60
hashMaxSize=100000000
fullEvent=true
sourcetype= appA
props.conf
[source::/opt/config/AppA/resource/...]
LEARN_SOURCETYPE=false
LEARN_MODEL=false
sourcetype= appA
↧
Are delete events misflaged ?
↧