topic Re: How to blacklist or whitelist logs monitored in a Windows directory? in Getting Data In

How to blacklist or whitelist logs monitored in a Windows directory?

shariinPH — Wed, 11 Mar 2015 06:24:30 GMT

I have to monitor a specific folder in a certain directory
For example my path is
G:\opdata\my_data\motherfolder\
inside the motherfolder directory, there are sub directories which are

01 Jan 2015
02 Feb 2015
020115
030115
anotherfoldername
anotherfoldername2

I have to monitor the logs with the filenames **sunn.txt* on the directories with the format mmddyy which will match the directories 020115 and 030115

in my inputs.conf, i tried to put

[monitor://G:\opdata\my_data\motherfolder\*\*sunn.txt]
disabled = false
index = myindex
sourcetype = mysc
_TCP_ROUTING=devmay
crcSalt = <SOURCE>

but it doesnt forward anything on my indexer so i tried this one

[monitor://G:\opdata\my_data\motherfolder\...\*sunn.txt]
disabled = false
index = myindex
sourcetype = mysc
_TCP_ROUTING=devmay
crcSalt = <SOURCE>

but the problem here is all the files with sunn.txt were indexed, even files that has the *sunn.txt* in the 01 Jan 2015 and 02 Feb 2015 were indexed.

I'm thinking to use blacklist or whitelist, but I'm having trouble to use them.
Help me pls.

Re: How to blacklist or whitelist logs monitored in a Windows directory?

satishsdange — Wed, 11 Mar 2015 07:06:55 GMT

could you please try below

[monitor://G:\opdata\my_data\motherfolder\]
whitelist = \d+\*sunn.txt

Re: How to blacklist or whitelist logs monitored in a Windows directory?

shariinPH — Wed, 11 Mar 2015 07:57:49 GMT

hi satishdange .. thanks, but it doesn't forward data to indexer .. what else do u think?

Re: How to blacklist or whitelist logs monitored in a Windows directory?

satishsdange — Thu, 12 Mar 2015 13:20:56 GMT

If your query is still open, you may use below -

[monitor://G:\opdata\my_data\motherfolder\]
     whitelist = \d{6}\*sunn.txt

Re: How to blacklist or whitelist logs monitored in a Windows directory?

shariinPH — Mon, 16 Mar 2015 02:17:16 GMT

It still doesnt work ..or does this configuration takes time before it takes effect?

Re: How to blacklist or whitelist logs monitored in a Windows directory?

satishsdange — Mon, 16 Mar 2015 04:19:19 GMT

did you restart UF?

Re: How to blacklist or whitelist logs monitored in a Windows directory?

shariinPH — Tue, 17 Mar 2015 05:30:12 GMT

yes i've done it