Splunk Search

Regex assistance - Blacklist host.

jmasat
Observer

Team,

I would like assistance with creating regex,specifically to blacklist 1 host name - happens to be the spunk server- very noisy.  

Alternately would like direction to site or resource that could help with creation of regex and debugging.

I have had no luck- too many hours to quantify. 

This was the best so far- but even as submitted (results all green)  regex did not work.

http://regjex.com/

 

 

 

 

 

Labels (1)
0 Karma

jmasat
Observer

Thank you for the URL- 

Respectfully - I had found before- but was of little help.  

I am looking for something that breaks regex down(with examples)  So that i may understand.

 

This site was far too esoteric.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To provide a regular expression for you, we need example data with an indication of what is to be selected or ignored.

Where are you wanting to put this blacklist?

Why are you blacklisting Splunk?  I know you said it's noisy, but this is an unusual use case.  Having Splunk logs available will help with troubleshooting in the future.

Have you tried https://regex101.com?

---
If this reply helps you, Karma would be appreciated.
0 Karma

jmasat
Observer

I will look at the URL provided.  

The failing may be on my end (not a programmer in the slightest)

Agreed the host logs may be useful (at sometime)  for the moment I need to band-aid a poor install

Many issues - example  - data regularly exceeds the 100000 per second limit...

 

Regardless -

Blacklist = \.(?:log)$   ( this was to blacklist all logs being ingested from splunkd source

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust
If splunkd is generating > 100,000 events per second then I suspect there's a problem that should be investigated and resolved rather than ignored.
Blacklists do not need capture groups.
Blocking all *.log files may unintentionally blocked wanted log files. Perhaps the file path being monitored is too broad.
---
If this reply helps you, Karma would be appreciated.
0 Karma

jmasat
Observer

I agree with you statement- this however is a "burning building" that i inherited. 

i would personally fast fail and   start the process over.

The server was stood-up with no planning- targeting hosts that I do not have access to .

So have to accomplish data shaping by blocking data as it is ingested .

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...