×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
minjg
Engager
Member since: ‎05-06-2024
‎06-09-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎05-06-2024
Activity Feed
Topics I've Started
View All

Re: bash_history file monitoring

by in Getting Data In
‎05-08-2024 12:12 AM
‎05-08-2024 12:12 AM
I added $export HISTTIMEFORMAT='%F %T' to /root/.bashrc instead of /etc/profile.d to test the HISTTIMEFORMAT setting. 1. However, in Splunk, timestamps and command are recognized as different events and searched. rm -rf local/ -> event 1 #1714721901 -> event 2 cd /opt/splunkforwarder/etc/apps/ -> event 3 #1714721771 -> event 4 2. For the timestamps test, I added a setting to another Splunk's props.conf  that works well. [test_bash_history] BREAK_ONLY_BEFORE = #(?=\d+) MAX_TIMESTAMP_LOOKAHEAD = 11 TIME_PREFIX = # TIME_FORMAT = #%s Is this setting correct? ... View more

bash_history file monitoring

by in Getting Data In
‎05-06-2024 09:45 PM
‎05-06-2024 09:45 PM
Hi. I'm using Splunk Enterprise 7.3.2 and installed universal forwarder 8.2.6 on Linux. I was asked to monitor the .bash_history file, so I installed the universal forwarder and checked that data is coming into Splunk. However, in a real-time search, most of the files are imported as well as newly added data. So monitoring is difficult because previously events are mixed with real-time events. When I do a real-time search again, the _time field of the previously imported event and the newly added event is the same. Is it related to this? Does anyone know how to solve this problem? + inputs.conf settings [monitor:///home/*/.bash_history] index=test sourcetype=test_add disabled=false crcSalt = <SOURCE> [monitor:///root/.bash_history] index=test sourcetype=test_add disabled=false crcSalt = <SOURCE> ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-09-2024 09:31 PM
Karma given to
View All