- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to blacklist a log data from being monitor...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to blacklist a log data from being monitored from router device ending with host name 03r /04r and keeping other devices still monitored?
Hi All, My exact requirement, currently we need to route two router devices at the site 03r and 04r point to index=net sourcetype=cisco:network:router to index=net sourcetype=cisco:network:switch .
We have all these devices name uxx01r, bxx02r, mxx03r , uxx04r , dxxx01psr and usxxx-inside-xsx-failover-vlan201 are pointing to the below index=net sourcetype=cisco:network:router. But network team wants to have the device name mxx03r and uxx04r data alone to be pointed to index=net sourcetype=cisco:network:switch. And there are totally 35 devices with name ending 03r and 04r names.
Current input stanza.
[monitor:///opt/syslogs/network/.../router.log*]
index=net
sourcetype=cisco:network:router
host_segment=4
[monitor:///opt/syslogs/network/.../switch.log*]
index=net
sourcetype=cisco:network:switch
host_segment=4
Kindly guide how to black list the device ending with the host name 03r and 04r index=net sourcetype=cisco:network:switch and keep others devices pointing index=net sourcetype=cisco:network:router.
Please provide me the regex that can black list these devices ending with 03r and 04r.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this
blacklist = ^.*03r$|^.*04r$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A bit similar case at How to blacklist two different hosts in inputs.conf?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All, I have used the below regex to black list device data being captured from 03r and 04r to index=net index=net sourcetype=cisco:network:router.
[monitor:///opt/syslogs/network/.../router.log*]
index=net
sourcetype=cisco:network:router
host_segment=4
blacklist = network\/\w*0(3|4)r
Created a separate stanza for pointing the 3r and 04r device data to index=net sourcetype=cisco:network:switch
[monitor:///opt/syslogs/network/\w*0(3r|4r)/router.log]
index=net
sourcetype=cisco:network:switch
host_segment=4
It worked in our environment.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
