Getting Data In

Any ideas on how I can exclude the diagnostic file from sourcetype a but then include in sourcetype b?

jeisonrosado
Loves-to-Learn

I have 2 files I want to monitor for in the same directory with 2 different sourcetypes. My issue is both files are being picked up by sourcetype a because of the wildcard. The wildcard is needed for the dates that follow the log name. I tried blacklisting the diagnostic file from sourcetype a but that did not work.

 

 

[monitor://E:\path\to\log\directory\HFMWeb*-diagnostic.log]
sourcetype = <sourcetype b>
disabled = false
index = <index>
crcSalt = <SOURCE>

[monitor://E:\path\to\log\directory\HFMWeb*.log]
sourcetype = <sourcetype a>
disabled = false
index = <index>
crcSalt = <SOURCE>
blacklist = \-diagnostic

 

 

Any ideas on how I can exclude the diagnostic file from sourcetype a but then include in sourcetype b?

Labels (2)
0 Karma

Splunker96
Builder

Hi @jeisonrosado 

You could follow example 3 or 4 listed in the below manual.

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata

 

Hope this info helps.

 

Thanks

0 Karma

jeisonrosado
Loves-to-Learn

Hi @Splunker96 - Thank you for your response. Unfortunately, I did try blacklisting the file from sourcetype a but that didn't seem to work. When I search for sourcetype b, I don't get any results.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...