the linux pack is designed to support the processing of linux OS data. it currently only support data being sent by a splunk universal forwarder. this pack includes sample logs for most of the inputs found in the Splunk TA for Nix, and includes three pipelines for processing said data.
This pack may be incompatible with some Splunk dashboards that depend on specific field extractions.
Please review various Splunk add-ons and configuration files such as props.conf or transforms.conf and make adjustments as necessary.
- Linux Filesystem Logs: Expect up to ??% reduction in the event size.
- [Splunk TA] linux scripted events: Expect up to ??% reduction in the event size.
- [Splunk TA] linux scripted metrics: Expect a range from ??% reduction in the event size.
To use this Pack, follow these steps:
- Create a Route with with a filter for your Splunk TA Nix events and metrics and system logs, (see section below for recommendations on filters)
- Select the
Linuxpack as the pipeline.
below are a few suggestions on filtering data to send to the Linux Pack.
- strict matching for linux scripted events:
- strict matching for linux scripted metrics:
- match against host pattern:
if all hosts with a specific name pattern run linux, this could be very effective - match against index:
if you are routing all your linux data to a specific index, this could be very effective - match against file path:
since linux paths use /, wild cards and log names should be enough
You can find most recent release at our repo releases page ~ link currently broken
almost completed pipeline for linux scripted event inputs from the 'Splunk TA for nix' and a generic pipeline for processing of metrics.
partial pipeline for linux scripted event inputs from the 'Splunk TA for nix'.
To contribute to the Pack, please do the following:
email the author at the email address listed below
To contact us please email [email protected]
This Pack uses the following license: Apache 2.0.