Any ideas on how I can exclude the diagnostic file...

jeisonrosado · ‎06-30-2022

I have 2 files I want to monitor for in the same directory with 2 different sourcetypes. My issue is both files are being picked up by sourcetype a because of the wildcard. The wildcard is needed for the dates that follow the log name. I tried blacklisting the diagnostic file from sourcetype a but that did not work.

[monitor://E:\path\to\log\directory\HFMWeb*-diagnostic.log]
sourcetype = <sourcetype b>
disabled = false
index = <index>
crcSalt = <SOURCE>

[monitor://E:\path\to\log\directory\HFMWeb*.log]
sourcetype = <sourcetype a>
disabled = false
index = <index>
crcSalt = <SOURCE>
blacklist = \-diagnostic

Any ideas on how I can exclude the diagnostic file from sourcetype a but then include in sourcetype b?

Roy_9 · ‎06-30-2022

Hi @jeisonrosado

You could follow example 3 or 4 listed in the below manual.

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata

Hope this info helps.

Thanks

jeisonrosado · ‎07-01-2022

Hi @Roy_9 - Thank you for your response. Unfortunately, I did try blacklisting the file from sourcetype a but that didn't seem to work. When I search for sourcetype b, I don't get any results.

Any ideas on how I can exclude the diagnostic file from sourcetype a but then include in sourcetype b?

inputs.conf

sourcetype

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor