How to make sure files containing a particular pai...

nls7010 · ‎11-08-2016

This is what I have started:

[monitor:///web/apps/doms/domains/*/CrewAdminAdapter.log]
index=wlsseappslogs
blacklist = *gc*\.log$
sourcetype = CrewAdminAdapter
crcSalt=

There are logs that look like: cw_nms_msa_ms011_gc060.log I don't want any of the logs that look like this but there are other logs very similar to this that I do want but they don't contain _gc which is our garbage collection file.

How do I keep those files from coming in with my blacklisting?

ddrillic · ‎11-08-2016

As we just spoke about in the other thread at Is it possible to use regular expressions and wildcard in the monitoring stanza of inputs.conf?

inputs.conf

Says -

The syntax is of wildcard and not regex. So, blacklist = *gc*.log should work and not blacklist = *gc*\.log$

You should be abe to validate it using ls *gc*.log.

adamsaul · ‎12-07-2016

ddrillic,

The use of regular expressions within a blacklist is allowed.

The use of regular expressions within [monitor://....] is not allowed.

nls7010 · ‎11-08-2016

sorry the line is gc.log$

How to make sure files containing a particular pair of letters are properly blacklisted?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...