topic Re: How to blacklist files from a particular log? in Getting Data In

How to blacklist files from a particular log?

bbazian — Thu, 26 Jan 2017 10:53:41 GMT

I would like to blacklist all files for a particular log from /var/logs. What is the proper format to not forward the log or the rolled log?

Here is what I tried but did not work.

[monitor:///var/log]
disabled = false
index = ftp-sftp
blacklist = rackspace-monitoring-agent\.log.\[12345]$

Re: How to blacklist files from a particular log?

somesoni2 — Thu, 26 Jan 2017 19:26:09 GMT

Without knowing the file names, it would be difficult to tell if above is correct or not. Once correction in the regex above is to remove escaping of square bracket. Try this

 blacklist = rackspace-monitoring-agent\.log\.[12345]$

 blacklist = rackspace-monitoring-agent\.log\.\d$

For better suggestions, please share sample file name, including the one you want to keep and you don't want to keep.

Re: How to blacklist files from a particular log?

bbazian — Thu, 26 Jan 2017 21:32:28 GMT

The files would probably roll to

rackspace-monitoring-agent.log
rackspace-monitoring-agent.log.1
rackspace-monitoring-agent.log.2
rackspace-monitoring-agent.log.3
rackspace-monitoring-agent.log.4
rackspace-monitoring-agent.log.5

Re: How to blacklist files from a particular log?

somesoni2 — Thu, 26 Jan 2017 21:46:54 GMT

If your goal is to just monitor the file rackspace-monitoring-agent.log and not the roll over files (as they should've already be monitored when they were with original name), and there are not other log files under directory /var/log that you want to monitor, the you could simply specify the file that you want to monitor in the monitoring stanza, like this. No blacklist/whitelist required in that case.

[monitor:///var/log/rackspace-monitoring-agent.log]
 disabled = false
 index = ftp-sftp

Update

For drop all varations of file with rackspace-montoring-agent.log from being monitored, try like this

[monitor:///var/log]
 disabled = false
 index = ftp-sftp
 blacklist = rackspace-monitoring-agent\.(log$|log\.\d+$)

Re: How to blacklist files from a particular log?

bbazian — Thu, 26 Jan 2017 21:50:19 GMT

My goal is to exclude all forms of that file.

Re: How to blacklist files from a particular log?

somesoni2 — Thu, 26 Jan 2017 21:58:23 GMT

Try the updated answer.

Re: How to blacklist files from a particular log?

aaraneta_splunk — Sun, 12 Feb 2017 04:52:51 GMT

@bbazian - Were you able to test out somesoni2's updated answer? Did it work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback. Thanks!