topic Re: How do you discard events from the cron.log? in Splunk Search

How do you discard events from the cron.log?

scamarda — Tue, 29 Jan 2019 12:11:04 GMT

On my universal forwarder, I have a repeated entry in my cron.log file that I would like to discard. However, I am not very familiar with regex terms. The entry in the cron.log is:

hostname  CROND[27158]: (root) CMD (/bin/sh /etc/init.d/swiagentd swrestart > /dev/null 2&>1)

I have followed the instructions at:

https://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest

and I am using the following:

props.conf
[source::/var/log/cron]
TRANSFORMS-null= setnull

transforms.conf
[setnull]
REGEX = swrestart
DEST_KEY = queue
FORMAT = nullQueue

I have restarted but I am still getting the message in my search. Do I have the correct regex? And is there a specific place in each .conf file that I should put the stanzas?

Re: How do you discard events from the cron.log?

dkeck — Tue, 29 Jan 2019 12:56:08 GMT

HI,

is /var/log/cron the source which is displayed with this events? Could it be that it is /var/log/cron.log

Re: How do you discard events from the cron.log?

whrg — Tue, 29 Jan 2019 14:39:37 GMT

Did you make this configuration on your Universal Forwarder?

I am asking this because the documentation on Route and filter data says:

You can use heavy forwarders to filter and route event data to Splunk instances.

So I believe that these kind of filters are not working on Universal Forwarders.

I suggest you put this configuration on the system which comes after the Universal Forwarder (probably a Heavy Forwarder or an Indexer) or replace the Universal Forwarder installation with a Heavy Forwarder.

Re: How do you discard events from the cron.log?

petom — Wed, 30 Jan 2019 17:59:29 GMT

@scamarda if you want to do parsing of the input, you have to do it either on Heavy Forwarder or on Indexer.
Universal Forwarder is not capable of parsing or transforms.

The some good reading about it:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Deploy/Datapipeline
and subsequently next page:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Deploy/Componentsofadistributedenvironment

Other interesting article about where to configure what in the data pipeline and for which part of the pipeline is here:
https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

Re: How do you discard events from the cron.log?

woodcock — Wed, 30 Jan 2019 19:30:31 GMT

You need to deploy this to the first full instance of Splunk that handles the data (either HF or Indexer tier). You need to restart all Splunk instances there. You need to forward in NEW data (old data will remain) so add _index_earliest=-5m to your All time search.