Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to blacklist multiple patterns using "|" in inputs.conf ?

pimco_rgoyal
Observer
‎08-23-2017 12:13 AM

I have used the below configuration as part of my inputs.conf but am unable to blacklist the logs that end with client.log and server.log using this. For now I had to explicitly add "blacklist = .server.log$" to blacklist them. Any changes needed to fix and get this working here ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-23-2017 07:45 AM

1) I'm seeing spaces between the | and the terms beside it. That would cause issues.
2) Remember that a . matches anything, so it you mean only the character., then you need to escape it like this - \. .
3) Parenthesis are not necessary in this context, when you are providing alternates for the entire pattern. They are useful if you want to give alternatives for a small part of a pattern.
4) If the file names may be case sensitive, then (i) at the front of the pattern can make the regular expression case-insensitive.

So, if the individual blacklist lines worked and were not case sensitive, then either of these should work...

\.client\.log$|\.server\.log$

...or ...

\.(client|server)\.log$

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-23-2017 07:45 AM

1) I'm seeing spaces between the | and the terms beside it. That would cause issues.
2) Remember that a . matches anything, so it you mean only the character., then you need to escape it like this - \. .
3) Parenthesis are not necessary in this context, when you are providing alternates for the entire pattern. They are useful if you want to give alternatives for a small part of a pattern.
4) If the file names may be case sensitive, then (i) at the front of the pattern can make the regular expression case-insensitive.

So, if the individual blacklist lines worked and were not case sensitive, then either of these should work...

\.client\.log$|\.server\.log$

...or ...

\.(client|server)\.log$
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...