Hi Team,
I am monitoring blucoat proxy logs via syslog log collection method. My input.conf file is configured to read all logs inside the location opt/splunk/syslog/symantec/bluecoat/*/*.log. below is the current configuration. Now i need to exclude the log which have cs-host=nxtengine.cpga.net.qa from indexing.
[monitor:///opt/splunk/syslog/symantec/bluecoat/*/*.log]
sourcetype = bluecoat:proxysg:access:syslog
index = cus_XXX
host_segment = 6
disabled = false
Sample raw logs below
2024-08-07T14:12:37+03:00 10.253.253.44 Bluecoat|src=X.x.x.x|srcport=53936|dst=x.x.x.x|dstport=8443|username=abcdef$|devicetime=[07/08/2024:11:12:32 GMT]|s-action=TCP_DENIED|sc-status=407|cs-method=CONNECT|time-taken=11|sc-bytes=247|cs-bytes=816|cs-uri-scheme=tcp|cs-host=nxtengine.cpga.net.qa|cs-uri-path=/|cs-uri-query=-|cs-uri-extension=-|cs-auth-group=-|rs(Content-Type)=-|cs(User-Agent)=Mozilla/5.0|cs(Referer)=-|sc-filter-result=DENIED|filter-category=none|cs-uri=tcp://nxtengine.cpga.net.qa:8443/
This may also be useful, you can let the already logged files remain and just refine the inputs conf to exclude the logs you don't want monitored and ingested.
https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-inputs-conf/td-p/598999
In addition to PickleRick's DOC suggestion:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/InputsConf#MONITOR:
Inputs settings can determine which files to monitor, but cannot filter events out of monitored files. To do that, you need to use props and (optionally) transforms on an indexer or heavy forwarder.