Issue with Blacklist in Inputs.conf

vaibhavagg2006 · ‎09-28-2017

Hi Experts
I have following monitor stanza . I want to blacklist "data/xyz/logs/router.jar.log" but want to monitor "/data/xyz/logs/abc/abc-router/abc-router.jar.log" . Though I have mentioned router.* still is blacklisting "abc-router.jar.log". Please help here

[monitor:///data/xyz/logs/]
index = test
sourcetype = test_st
whitelist=\.jar\.log$
blacklist=discovery.*|router.*|java.*
disabled = 0

gcusello · ‎09-28-2017

Hi vaibhavagg2006,
maybe you alredy tested this solution:

[monitor:///data/xyz/logs/]
index = test
sourcetype = test_st
whitelist=\.jar\.log$
blacklist=(discovery|router|java)\/abc-router\.jar\.log
disabled = 0

Bye.
Giuseppe

vaibhavagg2006 · ‎09-28-2017

Thanks for your inputs
I do not want to blacklist /logs/abc/abc-router.jar.log
Only want to blacklist /logs/router.jar.log

gcusello · ‎09-28-2017

try

 [monitor:///data/xyz/]
 index = test
 sourcetype = test_st
 whitelist=logs\/\.jar\.log$
 blacklist=(discovery|router|java)\/abc-router\.jar\.log
 disabled = 0

Bye.
Giuseppe

inventsekar · ‎09-28-2017

may i know, if the monitor path was correct in the question?!?!

[monitor:///data/xyz/logs/abc/abc-router/] index = test sourcetype = test_st whitelist=.jar.log$ blacklist=discovery\.|router\.|java\.* disabled = 0

vaibhavagg2006 · ‎09-28-2017

Monitor path is "///data/xyz/logs/"

There are multiple dynamic folders under logs
abc
qwe
poi

Also there is a file "router.jar.log" inside logs folder. I want to black list it. But want to index a file "abc-router.jar.log" present in /logs/abc/

inventsekar · ‎09-28-2017

maybe, try whitelist alone(without blacklist) and blacklist alone, then together..
whitelist=\.jar\.log$
blacklist=discovery\.|router\.|java\.*

Issue with Blacklist in Inputs.conf

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup