Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to filter events on Linux Machine before forwarding them to Splunk?

Kitteh
Path Finder
‎11-22-2017 11:09 PM

Image attached is the following log I wish to forward but however I want to detect ONLY newly added Cronjobs (only the first same entry of each command), I've done it on Splunk Enterprise after these are forwarded but however, Splunk Server will keep receiving these events non-stop at the back end even if I filter it on the Splunk Server side since Cronjob is always running, I wish not to index data that I am not using before forwarding it to Splunk Server, how do I go about attempting this with props.conf or transform.conf.

At the end of the day, there will be many different Cronjobs, but I want to uniquely identify them by once and only the first one of each just by looking at the CMD parameter in the brackets ()

alt text

Preview file
53 KB
0 Karma
Reply

micahkemp
Champion
‎11-24-2017 07:25 AM

Splunk can't filter (at index time) based on any kind of state (for monitor inputs). It can filter by regex of each individual event. What you are looking for can't be done at index time by Splunk natively.

If you are willing to add complexity to your input method in order to accomplish this you can look into modular inputs. That would allow you to write code that can dedup events before passing them to Splunk to index.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...