Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter events on Linux Machine before forwarding them to Splunk?

Kitteh
Path Finder
‎11-22-2017 11:09 PM

Image attached is the following log I wish to forward but however I want to detect ONLY newly added Cronjobs (only the first same entry of each command), I've done it on Splunk Enterprise after these are forwarded but however, Splunk Server will keep receiving these events non-stop at the back end even if I filter it on the Splunk Server side since Cronjob is always running, I wish not to index data that I am not using before forwarding it to Splunk Server, how do I go about attempting this with props.conf or transform.conf.

At the end of the day, there will be many different Cronjobs, but I want to uniquely identify them by once and only the first one of each just by looking at the CMD parameter in the brackets ()

alt text

Preview file
53 KB
0 Karma
Reply

micahkemp
Champion
‎11-24-2017 07:25 AM

Splunk can't filter (at index time) based on any kind of state (for monitor inputs). It can filter by regex of each individual event. What you are looking for can't be done at index time by Splunk natively.

If you are willing to add complexity to your input method in order to accomplish this you can look into modular inputs. That would allow you to write code that can dedup events before passing them to Splunk to index.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...