×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Ashker
Loves-to-Learn
Member since: ‎08-07-2024
‎08-07-2024
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-07-2024
Activity Feed
View All

blacklist a string during file monitoring

by in Getting Data In
‎08-07-2024 04:29 AM
‎08-07-2024 04:29 AM
Hi Team, I am monitoring blucoat proxy logs via syslog log collection method. My input.conf file is configured to read all logs inside the location opt/splunk/syslog/symantec/bluecoat/*/*.log.  below is the current configuration. Now i need to exclude the log which have cs-host=nxtengine.cpga.net.qa from indexing.  [monitor:///opt/splunk/syslog/symantec/bluecoat/*/*.log] sourcetype = bluecoat:proxysg:access:syslog index = cus_XXX host_segment = 6 disabled = false Sample raw logs below 2024-08-07T14:12:37+03:00 10.253.253.44 Bluecoat|src=X.x.x.x|srcport=53936|dst=x.x.x.x|dstport=8443|username=abcdef$|devicetime=[07/08/2024:11:12:32 GMT]|s-action=TCP_DENIED|sc-status=407|cs-method=CONNECT|time-taken=11|sc-bytes=247|cs-bytes=816|cs-uri-scheme=tcp|cs-host=nxtengine.cpga.net.qa|cs-uri-path=/|cs-uri-query=-|cs-uri-extension=-|cs-auth-group=-|rs(Content-Type)=-|cs(User-Agent)=Mozilla/5.0|cs(Referer)=-|sc-filter-result=DENIED|filter-category=none|cs-uri=tcp://nxtengine.cpga.net.qa:8443/             ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-07-2024 09:33 AM