Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to filter events on Linux Machine before forwarding them to Splunk?

Kitteh
Path Finder
‎11-22-2017 11:09 PM

Image attached is the following log I wish to forward but however I want to detect ONLY newly added Cronjobs (only the first same entry of each command), I've done it on Splunk Enterprise after these are forwarded but however, Splunk Server will keep receiving these events non-stop at the back end even if I filter it on the Splunk Server side since Cronjob is always running, I wish not to index data that I am not using before forwarding it to Splunk Server, how do I go about attempting this with props.conf or transform.conf.

At the end of the day, there will be many different Cronjobs, but I want to uniquely identify them by once and only the first one of each just by looking at the CMD parameter in the brackets ()

alt text

Preview file
1 KB
0 Karma
Reply

micahkemp
Champion
‎11-24-2017 07:25 AM

Splunk can't filter (at index time) based on any kind of state (for monitor inputs). It can filter by regex of each individual event. What you are looking for can't be done at index time by Splunk natively.

If you are willing to add complexity to your input method in order to accomplish this you can look into modular inputs. That would allow you to write code that can dedup events before passing them to Splunk to index.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...