Getting Data In

How to make sure files containing a particular pair of letters are properly blacklisted?

Path Finder

This is what I have started:

blacklist = *gc*\.log$
sourcetype = CrewAdminAdapter

There are logs that look like: cw_nms_msa_ms011_gc060.log I don't want any of the logs that look like this but there are other logs very similar to this that I do want but they don't contain _gc which is our garbage collection file.

How do I keep those files from coming in with my blacklisting?

0 Karma

Ultra Champion

As we just spoke about in the other thread at Is it possible to use regular expressions and wildcard in the monitoring stanza of inputs.conf?


Says -

alt text

The syntax is of wildcard and not regex. So, blacklist = *gc*.log should work and not blacklist = *gc*\.log$

You should be abe to validate it using ls *gc*.log.

0 Karma



The use of regular expressions within a blacklist is allowed.

The use of regular expressions within [monitor://....] is not allowed.

0 Karma

Path Finder

sorry the line is gc.log$

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!