Splunk Search

blacklist file form inputs.conf

smudge797
Path Finder

Here is my input.conf.

[monitor:///tcom/servers/.../logs/*]
blacklist = this_log.log-12345678
sourcetype = app
index = tcom

I know this is wrong as its not working this_log.log-12345678 files are getting in, i think I need a regex to make the blacklist work.. Is that correct? Im pretty new to regex so any help would be greatly appreciated.

Thanks!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try with this

[monitor:///tcom/servers/.../logs/*] 
blacklist = this_log\.log-\d{8}$
sourcetype = app 
index = tcom

View solution in original post

u519899
New Member

try this
blacklist = .+tomcat_access_\d{4}\D\d{2}\D\d{2}.log$

0 Karma

u519899
New Member

try this regex

[monitor:///tcom/servers/.../logs/*]
blacklist = .+tomcat_access_\d{4}\D\d{2}\D\d{2}.log$
index=yourindexname
sourcetype=yoursourcetypename

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you adding new blacklist attribute? or just updating the existing one (and restarting after changing the file)? The regex "blacklist = tomcat_access_\d{4}-\d{2}-\d{2}\.log$" looks correct to me. If possible post your current inputs.conf entry for this.

0 Karma

smudge797
Path Finder

I am now seeing logs from:
logs/tomcat_access_2014-07-09.log

Would this be the correct regex? It's not working...?

"blacklist = tomcat_access_\d{4}-\d{2}-\d{2}.log$"

backslashes are missing in here for some reason.

0 Karma

nawazns5038
Builder

put a \ before .

.log$

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try with this

[monitor:///tcom/servers/.../logs/*] 
blacklist = this_log\.log-\d{8}$
sourcetype = app 
index = tcom

smudge797
Path Finder

this_log.log-\d{8}$
I am now seeing logs from:
logs/tomcat_access_2014-07-09.log

Would this be the correct regex? It's not working...?

"blacklist = tomcat_access_\d{4}-\d{2}-\d{2}.log$"

0 Karma

smudge797
Path Finder

so the figure 12345678 are actually a year month dat ie 20140624...

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...