Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex assistance - Blacklist host.

jmasat
Observer
‎06-23-2020 09:50 AM

Team,

I would like assistance with creating regex,specifically to blacklist 1 host name - happens to be the spunk server- very noisy.  

Alternately would like direction to site or resource that could help with creation of regex and debugging.

I have had no luck- too many hours to quantify. 

This was the best so far- but even as submitted (results all green)  regex did not work.

http://regjex.com/

 

 

 

 

 

Labels (1)
Labels
0 Karma
Reply

jmasat
Observer
‎06-23-2020 11:48 AM

Thank you for the URL- 

Respectfully - I had found before- but was of little help.  

I am looking for something that breaks regex down(with examples)  So that i may understand.

 

This site was far too esoteric.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-23-2020 10:31 AM

To provide a regular expression for you, we need example data with an indication of what is to be selected or ignored.

Where are you wanting to put this blacklist?

Why are you blacklisting Splunk?  I know you said it's noisy, but this is an unusual use case.  Having Splunk logs available will help with troubleshooting in the future.

Have you tried https://regex101.com?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jmasat
Observer
‎06-23-2020 10:45 AM

I will look at the URL provided.  

The failing may be on my end (not a programmer in the slightest)

Agreed the host logs may be useful (at sometime)  for the moment I need to band-aid a poor install

Many issues - example  - data regularly exceeds the 100000 per second limit...

 

Regardless -

Blacklist = \.(?:log)$   ( this was to blacklist all logs being ingested from splunkd source

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-23-2020 10:53 AM
If splunkd is generating > 100,000 events per second then I suspect there's a problem that should be investigated and resolved rather than ignored.
Blacklists do not need capture groups.
Blocking all *.log files may unintentionally blocked wanted log files. Perhaps the file path being monitored is too broad.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jmasat
Observer
‎06-23-2020 11:05 AM

I agree with you statement- this however is a "burning building" that i inherited. 

i would personally fast fail and   start the process over.

The server was stood-up with no planning- targeting hosts that I do not have access to .

So have to accomplish data shaping by blocking data as it is ingested .

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...