Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

HOw to black list entire folder

vikas_gopal
Builder
‎03-03-2020 03:17 PM

HI Experts ,

I am prety sure this has been already answered but I am not able to find the correct answer on the community . I have path as below
C:\app1\tomcatlogs1\WNSalesLogs1\WNEngine1\
server1
server2
server3

I have 8 servers on which same directory structure exist

I want to use host_segment so that my host name will be automatically picked up and I only want to index server1 files . So 2 things I want to achieve
1) If I am on host 1 , the host name should be server1

2) Only server1 folder files will get indexed .

I tried folloing but it is not indexing my files and not setting up the hostname 

[monitor://C:\app1\tomcatlogs1\WNSalesLogs1\WNEngine1\*\productengin_*.log]
disabled = false
host_segment = 5
index = main
whitelist = server1

Any suggestion will be highly appricaited

Regards
VG

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎03-03-2020 03:24 PM

Can you do this?

[monitor://C:\app1\tomcatlogs1\WNSalesLogs1\WNEngine1\server1\productengin_*.log]
 host=server1
 index=main

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎03-03-2020 03:24 PM

Can you do this?

[monitor://C:\app1\tomcatlogs1\WNSalesLogs1\WNEngine1\server1\productengin_*.log]
 host=server1
 index=main
0 Karma
Reply
Solved! Jump to solution

vikas_gopal
Builder
‎03-03-2020 03:48 PM

My bad I don't know after posting my format of the inputs.conf file is disturbed let me modify it .Please check now , hope this make sense . Here first * is folder like server1, server2, etc . Wild car in the file name , I am not bothered about that , because it is just 1,2 ,3 etc

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎03-03-2020 04:16 PM

I've updated

0 Karma
Reply
Solved! Jump to solution

vikas_gopal
Builder
‎03-03-2020 04:21 PM

Thank you for the quick response but the only concern is via DS how I can manage this as a single stenza . That is why I was planing to use host_segment . So does this mean I have to create sepparate app per host ?

0 Karma
Reply
Solved! Jump to solution

vikas_gopal
Builder
‎03-03-2020 07:13 PM

Well I have created separate SC and App on DS for each host.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎03-03-2020 11:46 PM

The way you wanted to do this is possible, but you need props & transforms.

props.conf
[sourcetype]
TRANSFORMS-abc=abc

transforms.conf
[abc]
REGEX=WNEngin1\/(\W+)\/
 SOURCE=MetaData:Source
FORMAT=host::$1
DEST=MetaData:Host
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...