Splunk Search

blacklist file form inputs.conf

smudge797
Path Finder

Here is my input.conf.

[monitor:///tcom/servers/.../logs/*]
blacklist = this_log.log-12345678
sourcetype = app
index = tcom

I know this is wrong as its not working this_log.log-12345678 files are getting in, i think I need a regex to make the blacklist work.. Is that correct? Im pretty new to regex so any help would be greatly appreciated.

Thanks!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try with this

[monitor:///tcom/servers/.../logs/*] 
blacklist = this_log\.log-\d{8}$
sourcetype = app 
index = tcom

View solution in original post

u519899
New Member

try this
blacklist = .+tomcat_access_\d{4}\D\d{2}\D\d{2}.log$

0 Karma

u519899
New Member

try this regex

[monitor:///tcom/servers/.../logs/*]
blacklist = .+tomcat_access_\d{4}\D\d{2}\D\d{2}.log$
index=yourindexname
sourcetype=yoursourcetypename

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you adding new blacklist attribute? or just updating the existing one (and restarting after changing the file)? The regex "blacklist = tomcat_access_\d{4}-\d{2}-\d{2}\.log$" looks correct to me. If possible post your current inputs.conf entry for this.

0 Karma

smudge797
Path Finder

I am now seeing logs from:
logs/tomcat_access_2014-07-09.log

Would this be the correct regex? It's not working...?

"blacklist = tomcat_access_\d{4}-\d{2}-\d{2}.log$"

backslashes are missing in here for some reason.

0 Karma

nawazns5038
Builder

put a \ before .

.log$

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try with this

[monitor:///tcom/servers/.../logs/*] 
blacklist = this_log\.log-\d{8}$
sourcetype = app 
index = tcom

smudge797
Path Finder

this_log.log-\d{8}$
I am now seeing logs from:
logs/tomcat_access_2014-07-09.log

Would this be the correct regex? It's not working...?

"blacklist = tomcat_access_\d{4}-\d{2}-\d{2}.log$"

0 Karma

smudge797
Path Finder

so the figure 12345678 are actually a year month dat ie 20140624...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...