Getting Data In

How to whitelist or blacklist log files in Zip Archives?

bleinfelder
Path Finder

Hi there,

I'm trying to monitor log files in zip archives, that contain additional data files, which I mustn't monitor.

How can a I specify whitelist/blacklist for files contained in a zip archive?

I tried using whitelist in inputs.conf stanza, but that whitelist causes splunk to ignore the zip file completely.

Any help appreciated.

Regards,

Bernd

0 Karma

csaur_splunk
Splunk Employee
Splunk Employee

You can create a transform that sends the events to the nullQueue from the your blacklist by matching the source value.
Example: This will ignore all events from a zip archive that are README.txt files
in transforms.conf example:

[archived_file_blacklist]
SOURCE_KEY = MetaData:Source
FORMAT = nullQueue
DEST_KEY = queue
REGEX = (README)\.txt$

in props.conf example:

[zip_archive_sourcetype]
TRANSFORMS = archived_file_blacklist

in inputs.conf example:

[monitor:///Users/myuser/zipfiles/*.zip]
sourcetype = zip_archive_sourcetype

grijhwani
Motivator

Last time I saw this asked there was no inherent mechanism for it. The white/blacklist specification is for monitoring paths.

The only thing I can think of is to unpack the zips by script, and ingest files selectively.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...