Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issues with applying blacklists on a light fowarder

Pierceyuk
Path Finder
‎03-12-2014 03:11 AM

So I have a syslog-ng running and splunk running picking up everything under /var/log/syslog-ng/general/

My regex skills are almost non existent.
If there are a few hosts that I want to exclude (../general/-/-.log [a bad host] and ../general/1.1.1.1/1.1.1.1.log [a random IP Host I don't need] ) Am I best learning and coding some fancy regex code for this

blacklist=(/-/-)|(/--/--)|(/var/log/syslog-ng/general/1.1.1.1/1.1.1.1.log)

Which I know does not work and is not even close due to the dots meaning something else.
Can I code a monitor statement like:

[monitor:///var/log/syslog-ng/general/1.1.1.1/1.1.1.1.log]
blacklist=.

Or is there an even easier/fool proof method I can use when some of the hosts are junk and need to be stopped? (apart from obviously getting the end user to stop sending me junk...)

0 Karma
Reply

rakesh_498115
Motivator
‎03-12-2014 05:04 AM

Wat do you mean by stopping few hosts . you mean stopping Stopping syslog data from some unknown hosts ?? you can do that pretty well using transforms.conf configuration i.e applying filtering on the hostips

0 Karma
Reply

Pierceyuk
Path Finder
‎03-12-2014 05:10 AM

So I have 200+ hosts sending syslog to this box. Most is nicely formated and wanted. Some of it is junk data (hostname ="-") and some of it is pointless (host 1.1.1.1 sends a million events an hour all the same) I just want to do some quick filtering to say 'ignore this list of folders'

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...