Hi all,
I am a new to Splunk and looking for some guidance.
I have created a new sourcetype in my inputs.conf file on my Linux forwarder workstation. It is monitoring /home/*/.bash_history file to check for user's commands. I can see data coming through on the Splunk UI, but I don't know how to assign a field to the value.
Example: it list the date time of the event and the command. I was use to seeing something like this: "exe=su -" or "exe="cat inputs.conf". Instead I get the following:
8/17/20 1:52:35.000 PM su -
8/17/20 1:52:32.000 PM cat inputs.conf
I am trying to create a table for this. How would I create a field "action" and assign the commands such as "su -" and "cat inputs.conf" to that field?