Getting Data In
Highlighted

Why is my blacklist regular expression not working?

New Member

Watching: /var/log (across 6 servers)

Blacklist:

(audit|(\.gz$))

Result: still uploads at least a gig of /var/log/audit/audit.log every day. I feel like I've tried everything (tweaking the regular expression, restarting Splunk, waiting)

0 Karma
Highlighted

Re: Why is my blacklist regular expression not working?

Splunk Employee
Splunk Employee

can you give examples of filenames in the monitored directory?

0 Karma
Highlighted

Re: Why is my blacklist regular expression not working?

New Member

so UPDATE: If I put the exact same regex in my inputs.conf it works fine. just NOT IN THE WEB INTERFACE.

0 Karma
Highlighted

Re: Why is my blacklist regular expression not working?

SplunkTrust
SplunkTrust

I'd try this

blacklist = (?i:.*?\/audit\/.*$|.*\.gz$)

The initial flag just sets it case insensitive. Then we have a choice of either any name with "/audit/" anywhere in it, lazy before, greedy after, or any file ending in .gz, greedy before because we're only backtracking at the end-of-field marker and that won't take long.

Most of the answer came from here...

https://answers.splunk.com/answers/30645/cant-get-a-blacklist-to-work-please-help.html

and here ...

http://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata?r=s...

0 Karma
Highlighted

Re: Why is my blacklist regular expression not working?

New Member

So I tried that in the web interface, but I'm not seeing it change anything. I say that because when I search source=/var/log/audit/audit.log it shows contents still being uploaded. Is there something I'd have to do to make this take effect? Again, I'm only using the web interface so far.

0 Karma