Archive

How to write a script to correlate data in a file with an event in Splunk?

Path Finder

Hello,

I want to know if it is possible to do a script which read a file and correlate the data in this file with an event in Splunk.

For example, when I put a USB key in Linux, I have this log:

Jan 31 11:02:51 PFSplunkCentOS5 hald: mounted /dev/sdb1 on behalf of uid 0

and I want to correlate UID 0 with the file /etc/passwd and say uid 0 = root or other user and put root in the event in Splunk like metadata.

Cordially

amir

0 Karma
1 Solution

Communicator

You don't need a script for this. Take a look at lookups . Write a lookup that has a uid > username correlation and you can run it automatically if needed.

View solution in original post

0 Karma

Path Finder

my problem is solved thank you

0 Karma

Path Finder

Hello davpx,

How can read the /etc/passwd file to correlate the uid with the user because the "lookup" function uses only KML, KMZ and CSV and I want to use the "/etc/passwd" which isn't a KML, KMZ or CSV file.

Thank you
amir

0 Karma

Communicator

You don't need a script for this. Take a look at lookups . Write a lookup that has a uid > username correlation and you can run it automatically if needed.

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!