Getting Data In

inputs.conf blacklist format- Is there a format that needs to be adhered to when using a blacklist with regex?

dolj
Loves-to-Learn Everything

is there a format that needs to be adhered to when using a blacklist with regex? 

I am trying to format "New Process Name:" with a regex that will extract events from a specific data source. 

I have tested the regex with regex101 and it identifies the events that I want to filter and is basically

blacklist3 = New\sProcess\sName\:\s+C\:\\Program\sFiles\s\(x86\)\\......

should that work or do I need to format it something more like

blacklist3 = New Process Name = C\:\\Program\sFiles\s\(x86\)\\...... 

my current blacklist is resulting in 

ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist3' [legacy], range error found in 'regex'......

According to this document,

https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Whitelistorblacklistspecificincomingdata

blacklist = <your_custom_regex>

 should work. 

 

Thanks

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dolj,

when you have "\" backslash in your blacklist, you have to escape it using three backslashes:

blacklist3 = New\sProcess\sName:\s+C:\\\Program\sFiles\s\(x86\)\\\......

you can try it in Splunk search to find the correct regex to filter your filenames, something like this:

| makeresults | eval _raw= "C:\Program Files (x86)\Google" | regex "C:\\\Program Files \(x86\)\\\Google"

Ciao.

Giuseppe

0 Karma

jotne
Builder

Escaping with regex may make it hard to read, but luckily there is a smart way around it.
You can start and stop in regex with \Q  and \E on what you like to get literal.

| makeresults
| eval _raw= "C:\Program Files (x86)\Google"
| regex "\QC:\Program Files (x86)\Google\E"

 This makes regex much more readable.
https://www.regular-expressions.info/characters.html

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...