Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with Blacklist in Inputs.conf

vaibhavagg2006
Communicator
‎09-28-2017 12:21 AM

Hi Experts
I have following monitor stanza . I want to blacklist "data/xyz/logs/router.jar.log" but want to monitor "/data/xyz/logs/abc/abc-router/abc-router.jar.log" . Though I have mentioned router.* still is blacklisting "abc-router.jar.log". Please help here

[monitor:///data/xyz/logs/]
index = test
sourcetype = test_st
whitelist=\.jar\.log$
blacklist=discovery.*|router.*|java.*
disabled = 0

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-28-2017 12:41 AM

Hi vaibhavagg2006,
maybe you alredy tested this solution:

[monitor:///data/xyz/logs/]
index = test
sourcetype = test_st
whitelist=\.jar\.log$
blacklist=(discovery|router|java)\/abc-router\.jar\.log
disabled = 0

Bye.
Giuseppe

0 Karma
Reply

vaibhavagg2006
Communicator
‎09-28-2017 12:51 AM

Thanks for your inputs
I do not want to blacklist /logs/abc/abc-router.jar.log
Only want to blacklist /logs/router.jar.log

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-28-2017 01:36 AM

try

 [monitor:///data/xyz/]
 index = test
 sourcetype = test_st
 whitelist=logs\/\.jar\.log$
 blacklist=(discovery|router|java)\/abc-router\.jar\.log
 disabled = 0

Bye.
Giuseppe

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-28-2017 12:31 AM

may i know, if the monitor path was correct in the question?!?!

[monitor:///data/xyz/logs/abc/abc-router/]
index = test
sourcetype = test_st
whitelist=.jar.log$
blacklist=discovery\.|router\.|java\.*
disabled = 0

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

vaibhavagg2006
Communicator
‎09-28-2017 12:35 AM

Monitor path is "///data/xyz/logs/"

There are multiple dynamic folders under logs
abc
qwe
poi

Also there is a file "router.jar.log" inside logs folder. I want to black list it. But want to index a file "abc-router.jar.log" present in /logs/abc/

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-28-2017 12:49 AM
  1. maybe, try whitelist alone(without blacklist) and blacklist alone, then together..
  2. whitelist=\.jar\.log$
  3. blacklist=discovery\.|router\.|java\.*
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...