Splunk Search

What is this issue with the monitor stanza in inputs.conf?

Abha11
Explorer

I am having an issue with one of my monitor stanza in inputs.conf. The stanza is as below: 

[monitor://E:Speech\Tomcat2232\logs\abc-call-router.log]
index = x
sourcetype = y
blacklist = .(gz|tar|tgz|zip|bkz|arch|etc|tmp|swp|nfs|swn)$
disabled = 0

So I am expecting the above monitor to only ingest E:\Speech\Tomcat2232\logs\abc-call-router.log but it is also igesting E:\Speech\Tomcat2232\logs\abc-call-router.log.1 and E:\Speech\Tomcat2232\logs\abc-call-router.log.2 which I don't want to happen.

Does anyone knows why it is happening.?

I have been scratching my head. Any help appreciated.

Thanks.

Labels (1)
Tags (2)
0 Karma

soutamo
SplunkTrust
SplunkTrust

Hi

I'm not sure if these helps bt at lest you should fix those.

[monitor://E:\Speech\Tomcat2232\logs\abc-call-router.log]
blacklist = \.(gz|tar|tgz|zip|bkz|arch|etc|tmp|swp|nfs|swn)$

 

As backlist is a regular expression you must escape . as \. Also you should add missing \ after drive letter.

You could se splunk btool inputs list --debug to check how splunk UF sees this stanza and where it takes those definitions.

r. Ismo

0 Karma

Abha11
Explorer

Hi @soutamo ,

 

Thank you for the answer and trying to help me. 

I have added escape  ./ in blacklist. Since it is windows box so there shouldn't be third / after drive letter.

 

0 Karma

soutamo
SplunkTrust
SplunkTrust
Hi
escape should be \. not ./
Based on documentation and experience that \ should be there between drive letter and top level directory
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!