How to blacklist keywords in inputs.conf

alexspunkshell · ‎07-23-2020

Hi,

I am using UF for syslog. In inputs.conf made index=cisco and sourcetype=syslog:ios and able to receive logs in console.

Now i am receiving too much logs. Having below keywords in logs.

"DOMAIN-2-IME"

"DOMAIN-2-IME_DETAILS"

"DOMAIN-5-TCA"

tried blacklist = "Domain" in inputs.conf but failed to filter it. Plese help me how to filter logs with Keywords in logs.

richgalloway · ‎07-23-2020

Blacklisting is for filenames to monitor, not keywords within events. To strip out events based on text within those events, check out SEDCMD in props.conf. It uses regular expressions to modify events before they're indexed. WARNING: your regex must identify the whole event if that is what you want to change. The UF will not do that for you.
You may want to check if your syslog server can do the filtering for you. That may be easier.

---
If this reply helps you, Karma would be appreciated.

How to blacklist keywords in inputs.conf

blacklist

inputs.conf

props.conf

transforms.conf

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation

How to blacklist keywords in inputs.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.