Image attached is the following log I wish to forward but however I want to detect ONLY newly added Cronjobs (only the first same entry of each command), I've done it on Splunk Enterprise after these are forwarded but however, Splunk Server will keep receiving these events non-stop at the back end even if I filter it on the Splunk Server side since Cronjob is always running, I wish not to index data that I am not using before forwarding it to Splunk Server, how do I go about attempting this with props.conf or transform.conf.
![alt text][1]
[1]: /storage/temp/218840-log.png
↧