Here is my input.conf.
[monitor:///tcom/servers/.../logs/*]
blacklist = this_log.log-12345678
sourcetype = app
index = tcom
I know this is wrong as its not working this_log.log-12345678 files are getting in, i think I need a regex to make the blacklist work.. Is that correct? Im pretty new to regex so any help would be greatly appreciated.
Thanks!
Try with this
[monitor:///tcom/servers/.../logs/*]
blacklist = this_log\.log-\d{8}$
sourcetype = app
index = tcom
try this
blacklist = .+tomcat_access_\d{4}\D\d{2}\D\d{2}.log$
try this regex
[monitor:///tcom/servers/.../logs/*]
blacklist = .+tomcat_access_\d{4}\D\d{2}\D\d{2}.log$
index=yourindexname
sourcetype=yoursourcetypename
Are you adding new blacklist attribute? or just updating the existing one (and restarting after changing the file)? The regex "blacklist = tomcat_access_\d{4}-\d{2}-\d{2}\.log$" looks correct to me. If possible post your current inputs.conf entry for this.
I am now seeing logs from:
logs/tomcat_access_2014-07-09.log
Would this be the correct regex? It's not working...?
"blacklist = tomcat_access_\d{4}-\d{2}-\d{2}.log$"
backslashes are missing in here for some reason.
put a \ before .
.log$
Try with this
[monitor:///tcom/servers/.../logs/*]
blacklist = this_log\.log-\d{8}$
sourcetype = app
index = tcom
this_log.log-\d{8}$
I am now seeing logs from:
logs/tomcat_access_2014-07-09.log
Would this be the correct regex? It's not working...?
"blacklist = tomcat_access_\d{4}-\d{2}-\d{2}.log$"
so the figure 12345678 are actually a year month dat ie 20140624...