Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is this issue with the monitor stanza in inputs.conf?

Abha11
Explorer
‎01-26-2021 02:47 PM

I am having an issue with one of my monitor stanza in inputs.conf. The stanza is as below: 

[monitor://E:Speech\Tomcat2232\logs\abc-call-router.log]
index = x
sourcetype = y
blacklist = .(gz|tar|tgz|zip|bkz|arch|etc|tmp|swp|nfs|swn)$
disabled = 0

So I am expecting the above monitor to only ingest E:\Speech\Tomcat2232\logs\abc-call-router.log but it is also igesting E:\Speech\Tomcat2232\logs\abc-call-router.log.1 and E:\Speech\Tomcat2232\logs\abc-call-router.log.2 which I don't want to happen.

Does anyone knows why it is happening.?

I have been scratching my head. Any help appreciated.

Thanks.

Tags (2)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-26-2021 11:49 PM

Hi

I'm not sure if these helps bt at lest you should fix those.

[monitor://E:\Speech\Tomcat2232\logs\abc-call-router.log]
blacklist = \.(gz|tar|tgz|zip|bkz|arch|etc|tmp|swp|nfs|swn)$

 

As backlist is a regular expression you must escape . as \. Also you should add missing \ after drive letter.

You could se splunk btool inputs list --debug to check how splunk UF sees this stanza and where it takes those definitions.

r. Ismo

0 Karma
Reply

Abha11
Explorer
‎01-27-2021 02:45 PM

Hi @isoutamo ,

 

Thank you for the answer and trying to help me. 

I have added escape  ./ in blacklist. Since it is windows box so there shouldn't be third / after drive letter.

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-28-2021 06:08 AM
Hi
escape should be \. not ./
Based on documentation and experience that \ should be there between drive letter and top level directory
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...