Solved: Re: How to blacklist files from a particular log?

bbazian · ‎01-26-2017

I would like to blacklist all files for a particular log from /var/logs. What is the proper format to not forward the log or the rolled log?

Here is what I tried but did not work.

[monitor:///var/log]
disabled = false
index = ftp-sftp
blacklist = rackspace-monitoring-agent\.log.\[12345]$

somesoni2 · ‎01-26-2017

If your goal is to just monitor the file rackspace-monitoring-agent.log and not the roll over files (as they should've already be monitored when they were with original name), and there are not other log files under directory /var/log that you want to monitor, the you could simply specify the file that you want to monitor in the monitoring stanza, like this. No blacklist/whitelist required in that case.

[monitor:///var/log/rackspace-monitoring-agent.log]
 disabled = false
 index = ftp-sftp

Update

For drop all varations of file with rackspace-montoring-agent.log from being monitored, try like this

[monitor:///var/log]
 disabled = false
 index = ftp-sftp
 blacklist = rackspace-monitoring-agent\.(log$|log\.\d+$)

View solution in original post

somesoni2 · ‎01-26-2017

If your goal is to just monitor the file rackspace-monitoring-agent.log and not the roll over files (as they should've already be monitored when they were with original name), and there are not other log files under directory /var/log that you want to monitor, the you could simply specify the file that you want to monitor in the monitoring stanza, like this. No blacklist/whitelist required in that case.

[monitor:///var/log/rackspace-monitoring-agent.log]
 disabled = false
 index = ftp-sftp

Update

For drop all varations of file with rackspace-montoring-agent.log from being monitored, try like this

[monitor:///var/log]
 disabled = false
 index = ftp-sftp
 blacklist = rackspace-monitoring-agent\.(log$|log\.\d+$)

bbazian · ‎01-26-2017

My goal is to exclude all forms of that file.

aaraneta_splunk · ‎02-11-2017

@bbazian - Were you able to test out somesoni2's updated answer? Did it work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback. Thanks!

somesoni2 · ‎01-26-2017

Try the updated answer.

bbazian · ‎01-26-2017

The files would probably roll to

rackspace-monitoring-agent.log
rackspace-monitoring-agent.log.1
rackspace-monitoring-agent.log.2
rackspace-monitoring-agent.log.3
rackspace-monitoring-agent.log.4
rackspace-monitoring-agent.log.5

somesoni2 · ‎01-26-2017

Without knowing the file names, it would be difficult to tell if above is correct or not. Once correction in the regex above is to remove escaping of square bracket. Try this

 blacklist = rackspace-monitoring-agent\.log\.[12345]$

or

 blacklist = rackspace-monitoring-agent\.log\.\d$

For better suggestions, please share sample file name, including the one you want to keep and you don't want to keep.

How to blacklist files from a particular log?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation