Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I correct my forwarder blacklist configuration for FTP-Logs?

E_Andreas
New Member
‎12-01-2015 02:17 AM

Dear Community,

In our Webserver we have the following Logs: F:\IIS-Log
Sometimes we have F:\IIS-LOG\FTP and F:\IIS-LOG\WWW in this folder and sometimes the logs are stored on the Webserver without the FTP and WWW subfolders.

So we created following "inputs.conf" entry for our Windows-Webserver-APP (Deployment App):

[monitor://C:\inetpub\logs\LogFiles]
blacklist=*\FTP*$
index=winwebserver
sourcetype=iis
disabled=0

[monitor://F:\IIS-Log]
index=winwebserver
sourcetype=iis
blacklist=*\FTP*$
disabled=0

The Problem is, we still get the Logs from the F:\IIS-LOG\FTP\ Folder...
we need the * wildcard because sometimes the Logs are stored in F:\IIS-LOG\FTPSCV1\ folder etc.

How to correctly blacklist the FTP-Logs?

0 Karma
Reply

jaredlaney
Contributor
‎12-01-2015 04:50 AM

The blacklist actually needs to be a regular expression. Remember that "*" is a reserved character meaning zero or more. Could you try doing the following?

blacklist=FTP.*$ or maybe blacklist=FTP

Here are some more examples.
http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Whitelistorblacklistspecificincomingdata

You can test your regular expression at:

https://regex101.com/

0 Karma
Reply

E_Andreas
New Member
‎12-01-2015 02:21 AM

sorry i forgot the wildcard in the first post

blacklist=FTP*$
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...