Why is my blacklist regular expression not working...

arohde · ‎03-13-2017

Watching: /var/log (across 6 servers)

Blacklist:

(audit|(\.gz$))

Result: still uploads at least a gig of /var/log/audit/audit.log every day. I feel like I've tried everything (tweaking the regular expression, restarting Splunk, waiting)

DalJeanis · ‎03-13-2017

I'd try this

blacklist = (?i:.*?\/audit\/.*$|.*\.gz$)

The initial flag just sets it case insensitive. Then we have a choice of either any name with "/audit/" anywhere in it, lazy before, greedy after, or any file ending in .gz, greedy before because we're only backtracking at the end-of-field marker and that won't take long.

Most of the answer came from here...

https://answers.splunk.com/answers/30645/cant-get-a-blacklist-to-work-please-help.html

and here ...

http://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata?r=s...

arohde · ‎03-14-2017

So I tried that in the web interface, but I'm not seeing it change anything. I say that because when I search source=/var/log/audit/audit.log it shows contents still being uploaded. Is there something I'd have to do to make this take effect? Again, I'm only using the web interface so far.

dcarmack_splunk · ‎03-13-2017

can you give examples of filenames in the monitored directory?

arohde · ‎03-14-2017

so UPDATE: If I put the exact same regex in my inputs.conf it works fine. just NOT IN THE WEB INTERFACE.

Why is my blacklist regular expression not working?

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector