Getting Data In

How to blacklist files from a particular log?

bbazian
New Member

I would like to blacklist all files for a particular log from /var/logs. What is the proper format to not forward the log or the rolled log?

Here is what I tried but did not work.

[monitor:///var/log]
disabled = false
index = ftp-sftp
blacklist = rackspace-monitoring-agent\.log.\[12345]$
0 Karma
1 Solution

somesoni2
Revered Legend

If your goal is to just monitor the file rackspace-monitoring-agent.log and not the roll over files (as they should've already be monitored when they were with original name), and there are not other log files under directory /var/log that you want to monitor, the you could simply specify the file that you want to monitor in the monitoring stanza, like this. No blacklist/whitelist required in that case.

[monitor:///var/log/rackspace-monitoring-agent.log]
 disabled = false
 index = ftp-sftp

Update

For drop all varations of file with rackspace-montoring-agent.log from being monitored, try like this

[monitor:///var/log]
 disabled = false
 index = ftp-sftp
 blacklist = rackspace-monitoring-agent\.(log$|log\.\d+$)

View solution in original post

0 Karma

somesoni2
Revered Legend

If your goal is to just monitor the file rackspace-monitoring-agent.log and not the roll over files (as they should've already be monitored when they were with original name), and there are not other log files under directory /var/log that you want to monitor, the you could simply specify the file that you want to monitor in the monitoring stanza, like this. No blacklist/whitelist required in that case.

[monitor:///var/log/rackspace-monitoring-agent.log]
 disabled = false
 index = ftp-sftp

Update

For drop all varations of file with rackspace-montoring-agent.log from being monitored, try like this

[monitor:///var/log]
 disabled = false
 index = ftp-sftp
 blacklist = rackspace-monitoring-agent\.(log$|log\.\d+$)
0 Karma

bbazian
New Member

My goal is to exclude all forms of that file.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@bbazian - Were you able to test out somesoni2's updated answer? Did it work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback. Thanks!

0 Karma

somesoni2
Revered Legend

Try the updated answer.

0 Karma

bbazian
New Member

The files would probably roll to

rackspace-monitoring-agent.log
rackspace-monitoring-agent.log.1
rackspace-monitoring-agent.log.2
rackspace-monitoring-agent.log.3
rackspace-monitoring-agent.log.4
rackspace-monitoring-agent.log.5

0 Karma

somesoni2
Revered Legend

Without knowing the file names, it would be difficult to tell if above is correct or not. Once correction in the regex above is to remove escaping of square bracket. Try this

 blacklist = rackspace-monitoring-agent\.log\.[12345]$

or

 blacklist = rackspace-monitoring-agent\.log\.\d$

For better suggestions, please share sample file name, including the one you want to keep and you don't want to keep.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...