Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to blacklist or whitelist logs monitored in a Windows directory?

shariinPH
Contributor
‎03-10-2015 11:24 PM

Hi

I have to monitor a specific folder in a certain directory
For example my path is
G:\opdata\my_data\motherfolder\
inside the motherfolder directory, there are sub directories which are

01 Jan 2015
02 Feb 2015
020115
030115
anotherfoldername
anotherfoldername2

I have to monitor the logs with the filenames **sunn.txt* on the directories with the format mmddyy which will match the directories 020115 and 030115

in my inputs.conf, i tried to put

[monitor://G:\opdata\my_data\motherfolder\*\*sunn.txt]
disabled = false
index = myindex
sourcetype = mysc
_TCP_ROUTING=devmay
crcSalt = <SOURCE>

but it doesnt forward anything on my indexer so i tried this one 

[monitor://G:\opdata\my_data\motherfolder\...\*sunn.txt]
disabled = false
index = myindex
sourcetype = mysc
_TCP_ROUTING=devmay
crcSalt = <SOURCE>

but the problem here is all the files with sunn.txt were indexed, even files that has the *sunn.txt* in the 01 Jan 2015 and 02 Feb 2015 were indexed.

I'm thinking to use blacklist or whitelist, but I'm having trouble to use them.
Help me pls.

0 Karma
Reply

satishsdange
Builder
‎03-11-2015 12:06 AM

could you please try below 

[monitor://G:\opdata\my_data\motherfolder\]
whitelist = \d+\*sunn.txt
0 Karma
Reply

satishsdange
Builder
‎03-12-2015 06:20 AM

If your query is still open, you may use below -

[monitor://G:\opdata\my_data\motherfolder\]
     whitelist = \d{6}\*sunn.txt
0 Karma
Reply

shariinPH
Contributor
‎03-15-2015 07:17 PM

It still doesnt work ..or does this configuration takes time before it takes effect?

0 Karma
Reply

satishsdange
Builder
‎03-15-2015 09:19 PM

did you restart UF?

0 Karma
Reply

shariinPH
Contributor
‎03-16-2015 10:30 PM

yes i've done it

0 Karma
Reply

shariinPH
Contributor
‎03-11-2015 12:57 AM

hi satishdange .. thanks, but it doesn't forward data to indexer .. what else do u think?

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...