Splunk Enterprise

input.conf log filtering

splunkcol
Builder

 

I have a route that has all the logs, but in it there are several types of logs, I only need some that start with a certain name.

Apple
banana
mango
dns.log
dns_1123.log
dns3_1.log

if I need the log that starts with dns and ends in anything else I understand that I can use dns *

[monitor:///folder1/folder2/folder3/folder/logs/dns*]
disabled = false
host = 10.10.10.10
index = myindex
sourcetype = mysourcetype

 

But when I check the logs that are being indexed, all the logs are arriving, even the ones that I don't need, how else can I make only the ones that start with dns arrive and not the other logs?

Labels (2)
1 Solution

inventsekar
Ultra Champion

i am not sure why it does not work.. all looks good, though.  maybe, try white listing. 

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/Whitelistorblacklistspecificincomingdata

 

 

[monitor:///folder1/folder2/folder3/folder/logs/dns*]
whitelist = dns.*\.log$
disabled = false
host = 10.10.10.10
index = myindex
sourcetype = mysourcetype

 

View solution in original post

0 Karma

inventsekar
Ultra Champion

i am not sure why it does not work.. all looks good, though.  maybe, try white listing. 

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/Whitelistorblacklistspecificincomingdata

 

 

[monitor:///folder1/folder2/folder3/folder/logs/dns*]
whitelist = dns.*\.log$
disabled = false
host = 10.10.10.10
index = myindex
sourcetype = mysourcetype

 

0 Karma

splunkcol
Builder

Thank you very much for your answer, it helped me a lot.

After working I remembered that I had configured the input.conf and output.conf files in two different paths, one in apps and the other in the system

It has already been solved, thank you very much.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...