Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

How to whitelist files in directory and not in subdirectories?

akchauhan
Explorer
โ€Ž01-31-2018 11:13 AM

Hi Guys
I am trying to pick logs having job-info.log name in common directory and job-heartbeat.logs from heartbeat sub directory and job-error .log from error sub directory. I used the configuration below and it is working fine. The only issue that I am facing is job-info.log files are also getting picked up when someone places these files in other sub directories (xyz in below case). I don't want these files to pick when they are placed in any sub-directories, These should be picked only when they are placed in the common directory. Please suggest changes in the whitelist.

[monitor:///abc/common/]
disabled = false
index = infra_job
whitelist = (job-info.log|heartbeat/job-heartbeat.log|error/job-error.*log)

directories structure

cd /abc/common/

files/directories under this directory (example)

error/
heartbeat/
xyz/job-info.*log ---- don't want these logs to pick
job-info1.log
job-info2.log
job-info3.log

Thanks in advance

0 Karma
Reply

FrankVl
Ultra Champion
โ€Ž02-01-2018 05:07 AM

Why not create 3 separate monitor inputs, one for job-info, one for error and one for heartbeat?

[monitor:///abc/common/job-info.*log]
disabled = false
index = infra_job

[monitor:///abc/common/heartbeat/job-heartbeat.*log]
disabled = false
index = infra_job

[monitor:///abc/common/error/job-error.*log]
disabled = false
index = infra_job
0 Karma
Reply

akchauhan
Explorer
โ€Ž02-01-2018 05:36 AM

yes, this was already in mind. Just thinking instead of creating 3 separate model inputs, if it is possible to do using whitelist/blacklist in single input that would be great.

0 Karma
Reply

pyro_wood
SplunkTrust
SplunkTrust
โ€Ž01-31-2018 12:01 PM

Hey akchauhan,

there is a blacklist setting you could set for the job-info*.log files.

Just add the following line to your config:

blacklist=(\/abc\/common\/xyz\/job-info\d*\.log)

This will make sure you definitely will not index files under the specified path, cuz blacklist take precedence over whitelists.
Stated here: If a file matches the regexes in both the blacklist and whitelist settings,
the file is NOT monitored. Blacklists take precedence over whitelists.

0 Karma
Reply

akchauhan
Explorer
โ€Ž02-01-2018 12:08 AM

There are chances that dev team can create directory similar to xyz with other name as well. so what change do I need to add in blacklist you mentioned?

0 Karma
Reply

ddrillic
Ultra Champion
โ€Ž01-31-2018 11:56 AM 
recursive = false

might do it.

0 Karma
Reply

akchauhan
Explorer
โ€Ž02-01-2018 04:05 AM

this is not working. Adding recursive = false will not pick logs in error and heartbeat directory.

0 Karma
Reply