How to blacklist or whitelist logs monitored in a ...

shariinPH · ‎03-10-2015

Hi

I have to monitor a specific folder in a certain directory
For example my path is
G:\opdata\my_data\motherfolder\
inside the motherfolder directory, there are sub directories which are

01 Jan 2015
02 Feb 2015
020115
030115
anotherfoldername
anotherfoldername2

I have to monitor the logs with the filenames **sunn.txt* on the directories with the format mmddyy which will match the directories 020115 and 030115

in my inputs.conf, i tried to put

[monitor://G:\opdata\my_data\motherfolder\*\*sunn.txt]
disabled = false
index = myindex
sourcetype = mysc
_TCP_ROUTING=devmay
crcSalt = <SOURCE>

but it doesnt forward anything on my indexer so i tried this one

[monitor://G:\opdata\my_data\motherfolder\...\*sunn.txt]
disabled = false
index = myindex
sourcetype = mysc
_TCP_ROUTING=devmay
crcSalt = <SOURCE>

but the problem here is all the files with sunn.txt were indexed, even files that has the *sunn.txt* in the 01 Jan 2015 and 02 Feb 2015 were indexed.

I'm thinking to use blacklist or whitelist, but I'm having trouble to use them.
Help me pls.

satishsdange · ‎03-11-2015

could you please try below

[monitor://G:\opdata\my_data\motherfolder\]
whitelist = \d+\*sunn.txt

satishsdange · ‎03-12-2015

If your query is still open, you may use below -

[monitor://G:\opdata\my_data\motherfolder\]
     whitelist = \d{6}\*sunn.txt

shariinPH · ‎03-15-2015

It still doesnt work ..or does this configuration takes time before it takes effect?

satishsdange · ‎03-15-2015

did you restart UF?

shariinPH · ‎03-16-2015

yes i've done it

shariinPH · ‎03-11-2015

hi satishdange .. thanks, but it doesn't forward data to indexer .. what else do u think?

How to blacklist or whitelist logs monitored in a Windows directory?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms