Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex setting about blacklist in UF's inputs.conf

ggssa2000
Explorer
‎05-28-2017 07:15 PM

**Hi, I am collecting the data below, and I using the UF in the client. Actually I only want the data except "0_Packet_2017-05-29.txt", and I tried the blacklist to do this. However there was something wrong when I writing the blacklist regex.

Text:

40100_Packet_2017-05-29.txt
40110_Packet_2017-05-29.txt
40120_Packet_2017-05-29.txt
40130_Packet_2017-05-29.txt
40140_Packet_2017-05-29.txt
0_Packet_2017-05-29.txt

I have tried these way but failed :

  1. \d{1}_Reg_Packet_20[0-9][0-9]-[0-9][0-9]-[0-9][0-9].txt (will result the other included 0's data block, like 40100, 40110...etc)
  2. ^\d{0}_Reg_Packet_20[0-9][0-9]-[0-9][0-9]-[0-9][0-9].txt (it doesn't work, caused by the 0_Packet_2017-05-29.txt is not the starting line)

Does any one have a great solution to only black the "0_Packet_2017-05-29.txt" ? Thansk for help!

Tags (1)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-29-2017 06:37 AM

If you're blacklisting a file named like that then it should look like this:

 [monitor:///path/to/files/*.txt]
 blacklist = \d{1}_Packet_\d{4}-\d{2}-\d{2}\.txt

There isn't a "Reg_Packet" in your example Data just "Packet"s

If this is data within one file then you'll have to use SEDCMD in props like this:

 [sourcetypeName]
 SEDCMD-redacted = s/\d{1}_Packet_\d{4}-\d{2}-\d{2}\.txt//g
Reply

ggssa2000
Explorer
‎05-29-2017 08:12 PM

I aplogized that I didn't described the question properly.

  1. you're right about there is not "Reg_" in the name.
  2. I want to monitor the file within .txt at [monitor:///path/to/files/*.txt], and there are hundred of files with [number_Packet_year_month_day] format, and I want to monitor all of the files excluded the "0_Packet_year_month_day.txt" file.
  3. It doesn't work in your first suggestion blacklist = \d{1}_Packet_\d{4}-\d{2}-\d{2}\.txt caused it will block the file within 0's name, like 40100, 40110...etc, too.
  4. About the second suggestion, it is not data in the file, however, is the file's name. So the props.conf doesn't help in this case I guessed.

Here is a regex online website, and I put my example on there.
I screenshot the result applied your blacklist regex cmd, but it doesn't work.
Result: https://www.dropbox.com/s/8is9hhmlz7ye0v8/0_reg%20blacklist.png?dl=0

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...