What is this issue with the monitor stanza in inpu...

Abha11 · ‎01-26-2021

I am having an issue with one of my monitor stanza in inputs.conf. The stanza is as below:

[monitor://E:Speech\Tomcat2232\logs\abc-call-router.log]
index = x
sourcetype = y
blacklist = .(gz|tar|tgz|zip|bkz|arch|etc|tmp|swp|nfs|swn)$
disabled = 0

So I am expecting the above monitor to only ingest E:\Speech\Tomcat2232\logs\abc-call-router.log but it is also igesting E:\Speech\Tomcat2232\logs\abc-call-router.log.1 and E:\Speech\Tomcat2232\logs\abc-call-router.log.2 which I don't want to happen.

Does anyone knows why it is happening.?

I have been scratching my head. Any help appreciated.

Thanks.

isoutamo · ‎01-26-2021

Hi

I'm not sure if these helps bt at lest you should fix those.

[monitor://E:\Speech\Tomcat2232\logs\abc-call-router.log]
blacklist = \.(gz|tar|tgz|zip|bkz|arch|etc|tmp|swp|nfs|swn)$

As backlist is a regular expression you must escape . as \. Also you should add missing \ after drive letter.

You could se splunk btool inputs list --debug to check how splunk UF sees this stanza and where it takes those definitions.

r. Ismo

Abha11 · ‎01-27-2021

Hi @isoutamo ,

Thank you for the answer and trying to help me.

I have added escape ./ in blacklist. Since it is windows box so there shouldn't be third / after drive letter.

isoutamo · ‎01-28-2021

Hi
escape should be \. not ./
Based on documentation and experience that \ should be there between drive letter and top level directory

What is this issue with the monitor stanza in inputs.conf?

other

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest