Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- fschange filters for windows
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried searching for documentation on how to implement filters for directories ( in fschange)
Could someone let me know where could I find documentation on this? the documentation page has an example to blacklist all the contents within a directory, how about a particular directory?
Here is my windows fschange implementation
[filter:blacklist:pamping]
regex1=\*\ignore\* ( tried c:\pamping\ignore\* didnt work)
[fschange:c:\pamping]
index = _audit
sourcetype = fschange
signedaudit = false
sendEventMaxSize = -1
recurse = true
disabled = false
pollPeriod = 60
filesPerDelay = 10
delayInMills = 100
followLinks = false
fullEvent = false
filters=pamping
The above filter which was set wasnt filtering events within the ignore directory, am i applying the filter incorrectly?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like your regex is incorrect. Try using the filter:
[filter:blacklist:pamping]
regex1 = .*ignore.*
Or, for your origional path:
[filter:blacklist:pamping]
regex1 = c:\\pamping\\ignore\\.*
Keep in mind that when you are writting a regex, you have to use "\\" to match a single "\". And you have to use ".*" to mean match any character 0 or more times.
Your origional regex of "\*\ignore\*" is literally interpreted as match a literal "*" followed by an "i" (I don't think that "\i" means anything in regex speak, so this is my best guess) followed by gnore followed by a literal "*"; which isn't at all what you want. For a general regex introduction and other helpful resources, check out: http://www.regular-expressions.info/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like your regex is incorrect. Try using the filter:
[filter:blacklist:pamping]
regex1 = .*ignore.*
Or, for your origional path:
[filter:blacklist:pamping]
regex1 = c:\\pamping\\ignore\\.*
Keep in mind that when you are writting a regex, you have to use "\\" to match a single "\". And you have to use ".*" to mean match any character 0 or more times.
Your origional regex of "\*\ignore\*" is literally interpreted as match a literal "*" followed by an "i" (I don't think that "\i" means anything in regex speak, so this is my best guess) followed by gnore followed by a literal "*"; which isn't at all what you want. For a general regex introduction and other helpful resources, check out: http://www.regular-expressions.info/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah. You can use either a literal forward slash like "/", or if you are writing rules that can be used on either location, then I use [/\\] which will match a single forwarder slash for unix, or a backslash for windows. As far as the delete parent stuff, I don't full get how that works myself. If you keep getting them after your initial filter change, then I would suggest posting another question about it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much, is this format specifically for windowS? or would it apply for Linux as well? For Linux I generally use the format
/Folder/Subfolder/* format, and it generally filters the data, but does a strange delete-parent, delete etc...
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
