Dear Community,
In our Webserver we have the following Logs: F:\IIS-Log
Sometimes we have F:\IIS-LOG\FTP
and F:\IIS-LOG\WWW
in this folder and sometimes the logs are stored on the Webserver without the FTP and WWW subfolders.
So we created following "inputs.conf" entry for our Windows-Webserver-APP (Deployment App):
[monitor://C:\inetpub\logs\LogFiles]
blacklist=*\FTP*$
index=winwebserver
sourcetype=iis
disabled=0
[monitor://F:\IIS-Log]
index=winwebserver
sourcetype=iis
blacklist=*\FTP*$
disabled=0
The Problem is, we still get the Logs from the F:\IIS-LOG\FTP\
Folder...
we need the *
wildcard because sometimes the Logs are stored in F:\IIS-LOG\FTPSCV1\
folder etc.
How to correctly blacklist the FTP-Logs?
The blacklist actually needs to be a regular expression. Remember that "*" is a reserved character meaning zero or more. Could you try doing the following?
blacklist=FTP.*$ or maybe blacklist=FTP
Here are some more examples.
http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Whitelistorblacklistspecificincomingdata
You can test your regular expression at:
sorry i forgot the wildcard in the first post
blacklist=FTP*$