https://community.splunk.com/t5/Getting-Data-In/Whitelisting-Blacklisting-files-inside-tgz-files/m-p/23857#M3757 <P>Hi,<BR /> Did you ever find a way to do this? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 09 Jul 2013 06:25:02 GMT gelica 2013-07-09T06:25:02Z https://community.splunk.com/t5/Getting-Data-In/Whitelisting-Blacklisting-files-inside-tgz-files/m-p/23853#M3753 <P>I have a bunch of .tgz files that are being regularly uploaded to a directory and I'd like to only index a subset of the files inside the archive files.</P> <P>Example archive files:</P> <PRE><CODE> tar tzvf archive.1.2.tgz -rw-r--r-- 0 wdh wdh 948 Jan 10 09:24 app1.log -rw-r--r-- 0 wdh wdh 414 Jan 10 09:24 foo.log -rw-r--r-- 0 wdh wdh 770 Jan 10 09:24 splat.log tar tzvf archive.5.8.tgz -rw-r--r-- 0 wdh wdh 148 Jan 10 09:24 app3.log -rw-r--r-- 0 wdh wdh 216 Jan 10 09:24 bad.log -rw-r--r-- 0 wdh wdh 789 Jan 10 09:24 splat.log </CODE></PRE> <P>From the example above, I'd like only the "splat.log" file inside archive.*.tgz to be indexed. It appears to me that the whitelist/blacklist settings for an inputs.conf stanza only apply to the archive file name, not to files inside the archive. </P> <P>While I know I can have some external batch process run and pull the 'splat.log' files out, is there any way I can use whitelist/blacklist, or some other Splunk configuration mechanism to filter based on the internal filenames inside the archive files?</P> Tue, 11 Jan 2011 04:34:17 GMT https://community.splunk.com/t5/Getting-Data-In/Whitelisting-Blacklisting-files-inside-tgz-files/m-p/23853#M3753 wdhathaway 2011-01-11T04:34:17Z https://community.splunk.com/t5/Getting-Data-In/Whitelisting-Blacklisting-files-inside-tgz-files/m-p/23854#M3754 <P>I've just run into this issue myself and have been beating my head against the wall trying to figure it out. It's odd that splunk supports using the name of a file inside a tgz with regex to specify the hostname, but it can't look inside the tarball for the blacklist. Very frustrating!</P> Tue, 10 May 2011 23:32:18 GMT https://community.splunk.com/t5/Getting-Data-In/Whitelisting-Blacklisting-files-inside-tgz-files/m-p/23854#M3754 jstockamp 2011-05-10T23:32:18Z https://community.splunk.com/t5/Getting-Data-In/Whitelisting-Blacklisting-files-inside-tgz-files/m-p/23855#M3755 <P>Not quite what you're looking for, but if nothing else you could route the events to <A href="http://www.splunk.com/base/Documentation/4.2.1/Deploy/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest"><CODE>nullQueue</CODE></A> to discard the events from the unwanted files at index time.</P> Wed, 11 May 2011 00:44:56 GMT https://community.splunk.com/t5/Getting-Data-In/Whitelisting-Blacklisting-files-inside-tgz-files/m-p/23855#M3755 southeringtonp 2011-05-11T00:44:56Z https://community.splunk.com/t5/Getting-Data-In/Whitelisting-Blacklisting-files-inside-tgz-files/m-p/23856#M3756 <P>Is this an issue with 4.3 as well? Been beating my heat on this one as well.</P> Tue, 14 Feb 2012 23:41:10 GMT https://community.splunk.com/t5/Getting-Data-In/Whitelisting-Blacklisting-files-inside-tgz-files/m-p/23856#M3756 robsenk 2012-02-14T23:41:10Z https://community.splunk.com/t5/Getting-Data-In/Whitelisting-Blacklisting-files-inside-tgz-files/m-p/23857#M3757 <P>Hi,<BR /> Did you ever find a way to do this? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 09 Jul 2013 06:25:02 GMT https://community.splunk.com/t5/Getting-Data-In/Whitelisting-Blacklisting-files-inside-tgz-files/m-p/23857#M3757 gelica 2013-07-09T06:25:02Z