Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter off /var/spool events on linux?

remy06
Contributor
‎03-15-2011 10:19 AM

auditd is generating number of events on linux server.

For eg.this event is identified by session id=1336067(auto generated).

` type=PATH msg=audit(03/15/2011 17:04:01.513:1336067) : item=0 name=/etc/shadow inode=123456789 dev=fd:00 mode=file,400 ouid=root ogid=root rdev=00:00

type=CWD msg=audit(03/15/2011 17:03:01.493:1336067) : cwd=/var/spool `

I can filter off the 2nd line using the keyword "cwd=/var/spool" but for the first line there isn't any keyword i can use.

Is there a way to filter off both events by using the keyword="cwd=/var/spool" and relating the two events together by their session id?

Tags (3)
Reply

netwrkr
Communicator
‎03-15-2011 01:28 PM

One idea might be to use the transaction command to group similar events together. I think you would first need to teach splunk how to extract the 'session id' field. Once you did that you could do something like

eventtype=audit | transaction fields=sid maxspan=5s

where 'sid' is the session id field you previous taught splunk how to extract.

0 Karma
Reply

netwrkr
Communicator
‎03-16-2011 01:53 PM

The way I suggested above is to group at search time. Splunk has a nice document which details how to extract fields here - http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample

0 Karma
Reply

remy06
Contributor
‎03-16-2011 01:40 AM

I will need to filter them off before splunk indexes it.So that means I have to specific the REGEX in transforms.conf?If this is the only way then how do I specify a REGEX to filter off the events?

0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...