Splunk Search
Highlighted

blacklist file form inputs.conf

Path Finder

Here is my input.conf.

[monitor:///tcom/servers/.../logs/*]
blacklist = this_log.log-12345678
sourcetype = app
index = tcom

I know this is wrong as its not working this_log.log-12345678 files are getting in, i think I need a regex to make the blacklist work.. Is that correct? Im pretty new to regex so any help would be greatly appreciated.

Thanks!

0 Karma
Highlighted

Re: blacklist file form inputs.conf

SplunkTrust
SplunkTrust

Try with this

[monitor:///tcom/servers/.../logs/*] 
blacklist = this_log\.log-\d{8}$
sourcetype = app 
index = tcom

View solution in original post

Highlighted

Re: blacklist file form inputs.conf

Path Finder

so the figure 12345678 are actually a year month dat ie 20140624...

0 Karma
Highlighted

Re: blacklist file form inputs.conf

Path Finder

thislog.log-\d{8}$
I am now seeing logs from:
logs/tomcat
access_2014-07-09.log

Would this be the correct regex? It's not working...?

"blacklist = tomcataccess\d{4}-\d{2}-\d{2}.log$"

0 Karma
Highlighted

Re: blacklist file form inputs.conf

Path Finder

I am now seeing logs from:
logs/tomcataccess2014-07-09.log

Would this be the correct regex? It's not working...?

"blacklist = tomcataccess\d{4}-\d{2}-\d{2}.log$"

backslashes are missing in here for some reason.

0 Karma
Highlighted

Re: blacklist file form inputs.conf

Builder

put a \ before .

.log$

0 Karma
Highlighted

Re: blacklist file form inputs.conf

SplunkTrust
SplunkTrust

Are you adding new blacklist attribute? or just updating the existing one (and restarting after changing the file)? The regex "blacklist = tomcataccess\d{4}-\d{2}-\d{2}\.log$" looks correct to me. If possible post your current inputs.conf entry for this.

0 Karma
Highlighted

Re: blacklist file form inputs.conf

New Member

try this regex

[monitor:///tcom/servers/.../logs/*]
blacklist = .+tomcataccess\d{4}\D\d{2}\D\d{2}.log$
index=yourindexname
sourcetype=yoursourcetypename

0 Karma
Highlighted

Re: blacklist file form inputs.conf

New Member

try this
blacklist = .+tomcataccess\d{4}\D\d{2}\D\d{2}.log$

0 Karma