- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to whitelist files in directory and not in sub...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to whitelist files in directory and not in subdirectories?
Hi Guys
I am trying to pick logs having job-info.*log name in common directory and job-heartbeat.*logs from heartbeat sub directory and job-error .*log from error sub directory. I used the configuration below and it is working fine. The only issue that I am facing is job-info.*log files are also getting picked up when someone places these files in other sub directories (xyz in below case). I don't want these files to pick when they are placed in any sub-directories, These should be picked only when they are placed in the common directory. Please suggest changes in the whitelist.
[monitor:///abc/common/]
disabled = false
index = infra_job
whitelist = (job-info.*log|heartbeat/job-heartbeat.*log|error/job-error.*log)
directories structure
cd /abc/common/
files/directories under this directory (example)
error/
heartbeat/
xyz/job-info.*log ---- don't want these logs to pick
job-info1.log
job-info2.log
job-info3.log
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not create 3 separate monitor inputs, one for job-info, one for error and one for heartbeat?
[monitor:///abc/common/job-info.*log]
disabled = false
index = infra_job
[monitor:///abc/common/heartbeat/job-heartbeat.*log]
disabled = false
index = infra_job
[monitor:///abc/common/error/job-error.*log]
disabled = false
index = infra_job
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, this was already in mind. Just thinking instead of creating 3 separate model inputs, if it is possible to do using whitelist/blacklist in single input that would be great.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey akchauhan,
there is a blacklist setting you could set for the job-info*.log files.
Just add the following line to your config:
blacklist=(\/abc\/common\/xyz\/job-info\d*\.log)
This will make sure you definitely will not index files under the specified path, cuz blacklist take precedence over whitelists.
Stated here: If a file matches the regexes in both the blacklist and whitelist settings,
the file is NOT monitored. Blacklists take precedence over whitelists.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are chances that dev team can create directory similar to xyz with other name as well. so what change do I need to add in blacklist you mentioned?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
recursive = false
might do it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is not working. Adding recursive = false will not pick logs in error and heartbeat directory.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
