Re: What is this issue with the monitor stanza in ...

Abha11 · ‎01-26-2021

I am having an issue with one of my monitor stanza in inputs.conf. The stanza is as below:

[monitor://E:Speech\Tomcat2232\logs\abc-call-router.log]
index = x
sourcetype = y
blacklist = .(gz|tar|tgz|zip|bkz|arch|etc|tmp|swp|nfs|swn)$
disabled = 0

So I am expecting the above monitor to only ingest E:\Speech\Tomcat2232\logs\abc-call-router.log but it is also igesting E:\Speech\Tomcat2232\logs\abc-call-router.log.1 and E:\Speech\Tomcat2232\logs\abc-call-router.log.2 which I don't want to happen.

Does anyone knows why it is happening.?

I have been scratching my head. Any help appreciated.

Thanks.

isoutamo · ‎01-26-2021

Hi

I'm not sure if these helps bt at lest you should fix those.

[monitor://E:\Speech\Tomcat2232\logs\abc-call-router.log]
blacklist = \.(gz|tar|tgz|zip|bkz|arch|etc|tmp|swp|nfs|swn)$

As backlist is a regular expression you must escape . as \. Also you should add missing \ after drive letter.

You could se splunk btool inputs list --debug to check how splunk UF sees this stanza and where it takes those definitions.

r. Ismo

Abha11 · ‎01-27-2021

Hi @isoutamo ,

Thank you for the answer and trying to help me.

I have added escape ./ in blacklist. Since it is windows box so there shouldn't be third / after drive letter.

isoutamo · ‎01-28-2021

Hi
escape should be \. not ./
Based on documentation and experience that \ should be there between drive letter and top level directory

What is this issue with the monitor stanza in inputs.conf?

other

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!