Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Regex assistance - Blacklist host.

jmasat
Observer
‎06-23-2020 09:50 AM

Team,

I would like assistance with creating regex,specifically to blacklist 1 host name - happens to be the spunk server- very noisy.  

Alternately would like direction to site or resource that could help with creation of regex and debugging.

I have had no luck- too many hours to quantify. 

This was the best so far- but even as submitted (results all green)  regex did not work.

http://regjex.com/

 

 

 

 

 

Labels (1)
Labels
0 Karma
Reply

jmasat
Observer
‎06-23-2020 11:48 AM

Thank you for the URL- 

Respectfully - I had found before- but was of little help.  

I am looking for something that breaks regex down(with examples)  So that i may understand.

 

This site was far too esoteric.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-23-2020 10:31 AM

To provide a regular expression for you, we need example data with an indication of what is to be selected or ignored.

Where are you wanting to put this blacklist?

Why are you blacklisting Splunk?  I know you said it's noisy, but this is an unusual use case.  Having Splunk logs available will help with troubleshooting in the future.

Have you tried https://regex101.com?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jmasat
Observer
‎06-23-2020 10:45 AM

I will look at the URL provided.  

The failing may be on my end (not a programmer in the slightest)

Agreed the host logs may be useful (at sometime)  for the moment I need to band-aid a poor install

Many issues - example  - data regularly exceeds the 100000 per second limit...

 

Regardless -

Blacklist = \.(?:log)$   ( this was to blacklist all logs being ingested from splunkd source

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-23-2020 10:53 AM
If splunkd is generating > 100,000 events per second then I suspect there's a problem that should be investigated and resolved rather than ignored.
Blacklists do not need capture groups.
Blocking all *.log files may unintentionally blocked wanted log files. Perhaps the file path being monitored is too broad.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jmasat
Observer
‎06-23-2020 11:05 AM

I agree with you statement- this however is a "burning building" that i inherited. 

i would personally fast fail and   start the process over.

The server was stood-up with no planning- targeting hosts that I do not have access to .

So have to accomplish data shaping by blocking data as it is ingested .

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...