Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to filter off /var/spool events on linux?

remy06
Contributor
‎03-15-2011 10:19 AM

auditd is generating number of events on linux server.

For eg.this event is identified by session id=1336067(auto generated).

` type=PATH msg=audit(03/15/2011 17:04:01.513:1336067) : item=0 name=/etc/shadow inode=123456789 dev=fd:00 mode=file,400 ouid=root ogid=root rdev=00:00

type=CWD msg=audit(03/15/2011 17:03:01.493:1336067) : cwd=/var/spool `

I can filter off the 2nd line using the keyword "cwd=/var/spool" but for the first line there isn't any keyword i can use.

Is there a way to filter off both events by using the keyword="cwd=/var/spool" and relating the two events together by their session id?

Tags (3)
Reply

netwrkr
Communicator
‎03-15-2011 01:28 PM

One idea might be to use the transaction command to group similar events together. I think you would first need to teach splunk how to extract the 'session id' field. Once you did that you could do something like

eventtype=audit | transaction fields=sid maxspan=5s

where 'sid' is the session id field you previous taught splunk how to extract.

0 Karma
Reply

netwrkr
Communicator
‎03-16-2011 01:53 PM

The way I suggested above is to group at search time. Splunk has a nice document which details how to extract fields here - http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample

0 Karma
Reply

remy06
Contributor
‎03-16-2011 01:40 AM

I will need to filter them off before splunk indexes it.So that means I have to specific the REGEX in transforms.conf?If this is the only way then how do I specify a REGEX to filter off the events?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...