Splunk Enterprise

How to filter certain logs on forwarder with certain key words or KV pairs in inputs.conf

nevinas
New Member

How do we filter certain logs on HF using inputs.conf

Tried the below 2 ways but no luck.

---------------------------------------------------------
 
[monitor:///syslog/cisco/ios/]
 
blacklist = IME_ID = "*"
blacklist1 = TCA_ID = "*"
 
 
-------------------------------------------------------------
 
[monitor:///syslog/cisco/ios/]

blacklist2="DOMAIN-2-IME_DETAILS"
blacklist3 = "DOMAIN-2-IME_DETAILS"

 

Labels (3)
0 Karma

to4kawa
Ultra Champion
blacklist = <regular expression>
* If set, files from this input are NOT monitored if their path matches the
  specified regex.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf

maybe, you need transforms.conf setting.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!