Solved: blacklist file form inputs.conf

smudge797 · ‎06-24-2014

Here is my input.conf.

[monitor:///tcom/servers/.../logs/*]
blacklist = this_log.log-12345678
sourcetype = app
index = tcom

I know this is wrong as its not working this_log.log-12345678 files are getting in, i think I need a regex to make the blacklist work.. Is that correct? Im pretty new to regex so any help would be greatly appreciated.

Thanks!

somesoni2 · ‎06-24-2014

Try with this

[monitor:///tcom/servers/.../logs/*] 
blacklist = this_log\.log-\d{8}$
sourcetype = app 
index = tcom

View solution in original post

u519899 · ‎06-20-2019

try this
blacklist = .+tomcat_access_\d{4}\D\d{2}\D\d{2}.log$

u519899 · ‎06-20-2019

try this regex

[monitor:///tcom/servers/.../logs/*]
blacklist = .+tomcat_access_\d{4}\D\d{2}\D\d{2}.log$
index=yourindexname
sourcetype=yoursourcetypename

somesoni2 · ‎07-09-2014

Are you adding new blacklist attribute? or just updating the existing one (and restarting after changing the file)? The regex "blacklist = tomcat_access_\d{4}-\d{2}-\d{2}\.log$" looks correct to me. If possible post your current inputs.conf entry for this.

smudge797 · ‎07-09-2014

I am now seeing logs from:
logs/tomcat_access_2014-07-09.log

Would this be the correct regex? It's not working...?

"blacklist = tomcat_access_\d{4}-\d{2}-\d{2}.log$"

backslashes are missing in here for some reason.

nawazns5038 · ‎01-03-2017

put a \ before .

.log$

somesoni2 · ‎06-24-2014

Try with this

[monitor:///tcom/servers/.../logs/*] 
blacklist = this_log\.log-\d{8}$
sourcetype = app 
index = tcom

smudge797 · ‎07-09-2014

this_log.log-\d{8}$
I am now seeing logs from:
logs/tomcat_access_2014-07-09.log

Would this be the correct regex? It's not working...?

"blacklist = tomcat_access_\d{4}-\d{2}-\d{2}.log$"

smudge797 · ‎06-24-2014

so the figure 12345678 are actually a year month dat ie 20140624...

blacklist file form inputs.conf

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!