Getting Data In

blacklist a string during file monitoring

Ashker
Loves-to-Learn

Hi Team,

I am monitoring blucoat proxy logs via syslog log collection method. My input.conf file is configured to read all logs inside the location opt/splunk/syslog/symantec/bluecoat/*/*.log.  below is the current configuration. Now i need to exclude the log which have cs-host=nxtengine.cpga.net.qa from indexing. 

[monitor:///opt/splunk/syslog/symantec/bluecoat/*/*.log]
sourcetype = bluecoat:proxysg:access:syslog
index = cus_XXX
host_segment = 6
disabled = false

Sample raw logs below

2024-08-07T14:12:37+03:00 10.253.253.44 Bluecoat|src=X.x.x.x|srcport=53936|dst=x.x.x.x|dstport=8443|username=abcdef$|devicetime=[07/08/2024:11:12:32 GMT]|s-action=TCP_DENIED|sc-status=407|cs-method=CONNECT|time-taken=11|sc-bytes=247|cs-bytes=816|cs-uri-scheme=tcp|cs-host=nxtengine.cpga.net.qa|cs-uri-path=/|cs-uri-query=-|cs-uri-extension=-|cs-auth-group=-|rs(Content-Type)=-|cs(User-Agent)=Mozilla/5.0|cs(Referer)=-|sc-filter-result=DENIED|filter-category=none|cs-uri=tcp://nxtengine.cpga.net.qa:8443/

 

 

 

 

 

 

Labels (1)
0 Karma

JohnEGones
Communicator

This may also be useful, you can let the already logged files remain and just refine the inputs conf to exclude the logs you don't want monitored and ingested.

https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-inputs-conf/td-p/598999

In addition to PickleRick's DOC suggestion: 

https://docs.splunk.com/Documentation/Splunk/latest/Admin/InputsConf#MONITOR:

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Inputs settings can determine which files to monitor, but cannot filter events out of monitored files.  To do that, you need to use props and (optionally) transforms on an indexer or heavy forwarder.

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...