I'm trying to get a blacklist in my inputs.conf to work correctly, but it's just not happening. It seems so simple... I am monitoring /logs.
Here's what I need:
I tried this, and variants of it, but it didn't work:
blacklist = (^esx-abcd-|\.bz2$|\.gz$)
It seems like no matter what I try, it keeps indexing the directories under esx-abdc-*. I've even tried hard-coding in specific directory names (for testing purposes), yet it still goes ahead and indexes everything under it. Something obviously isn't right.
Can someone help?
It is hard to say exactly, since you didn't include the rest of the stanza and we don't know what your monitor line looks like, but generally Splunk pulls the entire PATH of the files it monitors (this typically shows up as the "source" field. Therefore, your regex, "^esx-*" assumes that the beginning of the line starts with "esx". If this is windows, the beginning of the line is probably something like C:... and if it is Linux it might be something like "/var/log". It is unlikely the path to the monitored file will begin with "esx" without something in front of it.
Try removing the ^ since that might match, or stating the explicit path that should appear in appropriate regex format.
Thank you for your response. It's a linux system, and I tried with and without the ^. Nothing seems to work...
The Splunk docs in http://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata?r=s...
implied that the blacklist regex is relative to what is specified in the [monitor] stanza. They use this example:
blacklist = (archive|historical|.bak$)
The above example tells Splunk to ignore all files under /mnt/logs/ within the archive or historical directories and all files ending in *.bak. "
blacklist = (?i:esx-abcd|\.bz2$|\.gz$)
That will make it a case-insensitive regex, and remove the anchor just in case there is a path element prepended.
Also, make sure that your monitor line doesn't have a trailing / on the path. I'm not sure it would matter, but just to be safe.
I'll be honest, I have to give tech support credit for this one.... I kick myself because I was so close at one point:
blacklist = ^esx-tssdc-.*|\.(gz|gz2)$