Can Splunk read inside a file and filter based on a word inside?

Question

I want to create an alert for hosts file modification.

Found the build in one here on the forums but I would like to add a filter that can read inside the file and when it's being modified by Docker, it would ignore and won't activate the alert.

Appreciate the assistance!

score 1 · Answer 1 · answered Jul 11 '22 at 21:01

Unless it's in the data, Splunk has no way of knowing what process updated a file. All it knows is the data itself.

If there is something in the events that says it was put there by Docker then you can key on that and send the event to the null queue.

Can Splunk read inside a file and filter based on a word inside?

1 Answers1