Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

black list regex files starting with a period (.)

coreyCLI
Communicator
‎02-04-2021 04:22 AM

I have seen a few regex examples on this and I have used the regex tools online to test my regex to blacklist files that begin with a period (.) yet this example is not working.

example of inputs

[monitor:///dir/dir/dir/syslog]

index = index

sourcetype = sourcetype

host_regex=syslog\/(?P<host>.*)\.syslog

blacklist = ^\.\S

 

example filename = .filename.syslog.2021-01-01

Labels (1)
Labels
Tags (3)
0 Karma
Reply

coreyCLI
Communicator
‎02-10-2021 03:15 AM

Thanks for the quick reply Jacob.  While that didnt work for our specific case I do appreciate the response.  In the end, and I am usure why TBH, this is whats currently in place and working for us to blacklist files that start with a dot (.)

blacklist = \/dir\/dir\/syslog\/\.\S+

0 Karma
Reply

jacobpevans
Motivator
‎02-04-2021 05:46 AM

You have the ^\. part of the regex correct, but \S is matching a single non-whitespace character as seen here. I assume what you are really going for is ^\.\S*, but it would be more accurate to use ^\..* to blacklist every single file that either is a . or starts with one (see that here). The difference is that using \S* would not blacklist files that start with a . but have a space in them.

(Sorry for the bad formatting. Splunk is throwing all kinds of errors when I try to properly format the text)

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Reply

coreyCLI
Communicator
‎02-05-2021 07:08 AM

sady its not working for me.  I have also tried something more specific and still no joy.

blacklist = /dir/dir/dir/syslog/.*

and

blacklist = \/dir\/dir\/dir\/syslog\/\..*

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
li.common.scroll-to.top