Refine your search:

Add dir. /home as Data set

0

How can I add the linux /home directory to a server's Data Set and splunk only 2011 .bash_history data? If I add /home as a Data Set, it splunk's all data in /home going back to 1009 pushing me over my 500mb free version limit.

Please help.

Thank! MW

asked 04 Feb '11, 19:58

mewall2's gravatar image

mewall2
11
accept rate: 0%

6 Answers:
oldestnewestmost voted
0

.bash_history may not capture everything if the user has multiple sessions or the session terminates abnormally. See http://mywiki.wooledge.org/BashFAQ/088

Depending on your setup, you might want to consider using a version of bash with native syslog support compiled in. To help get you started: http://blog.rootshell.be/2009/02/28/bash-history-to-syslog/

link

answered 08 Apr '11, 04:14

southeringtonp's gravatar image

southeringtonp ♦
4.9k2524
accept rate: 35%

0

If you index the file with its own source/sourcetype, you can use MAX_DAYS_AGO in props.conf and set it to the number of days since in 2011, that way anything prior is ignored.

<p>MAX_DAYS_AGO = 
* Specifies the maximum number of days past, from the current date, that an extracted date
  can be valid.
* For example, if MAX_DAYS_AGO = 10, Splunk ignores dates that are older than 10 days ago.
* Defaults to 2000 (days).
* IMPORTANT: If your data is older than 2000 days, increase this setting.</p>

http://www.splunk.com/base/Documentation/latest/admin/propsconf

link

answered 05 Apr '11, 15:19

jbsplunk's gravatar image

jbsplunk ♦
10.7k1625
accept rate: 49%

edited 19 May '11, 09:23

0

Splunk is going to eat the entire file, I don't know of a setting that will only index specific parts of a file.

However, if you are wanting a specific data set from a file I would advise writing a small script that will write all of the data from year xxxx, in your case 2011, to a file. Then have splunk index that file. If your server is unix based you can cron the script to run every day to keep you file up-to-date.

link

answered 08 Feb '11, 03:40

nse's gravatar image

nse
156
accept rate: 0%

1

mewall2

Hm, not sure if I get you right. Do you want to see/search only events from 2011 out of your .bash_history file? If that is the case, you'll have the option in the search-app to drill down only that time-range!

link

answered 07 Feb '11, 18:24

LCM's gravatar image

LCM
9621417
accept rate: 17%

0

Thanks LCMThoma--But how can I narrow that .bash_history to show only 2011 activity?

Please advise and thanks!

link

answered 04 Feb '11, 21:37

mewall2's gravatar image

mewall2
11
accept rate: 0%

1

Put ".bash_history*" in the whitelist option (edit your entry on the gui: >manager>data>inputs>files & directories) or simply just monitor exactly that file you want instead of the whole directory

link

answered 04 Feb '11, 20:54

LCM's gravatar image

LCM
9621417
accept rate: 17%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×139

Asked: 04 Feb '11, 19:58

Seen: 1,840 times

Last updated: 19 May '11, 09:23

Related questions

Add Data: A text file is being interpreted as a binary file

Local Windows Logs not being indexed after being configured as a data input?

Entire file contents as a single event

props.conf $ bad character - Help Wanted

Syslog Level :Emerg - system is unusable

Add data in to the Splunk.

Add data in to the splunk

File is not indexing

Copyright © 2005-2012 Splunk Inc. All rights reserved.