Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex setting about blacklist in UF's inputs.conf

ggssa2000
Explorer
‎05-28-2017 07:15 PM

**Hi, I am collecting the data below, and I using the UF in the client. Actually I only want the data except "0_Packet_2017-05-29.txt", and I tried the blacklist to do this. However there was something wrong when I writing the blacklist regex.

Text:

40100_Packet_2017-05-29.txt
40110_Packet_2017-05-29.txt
40120_Packet_2017-05-29.txt
40130_Packet_2017-05-29.txt
40140_Packet_2017-05-29.txt
0_Packet_2017-05-29.txt

I have tried these way but failed :

  1. \d{1}_Reg_Packet_20[0-9][0-9]-[0-9][0-9]-[0-9][0-9].txt (will result the other included 0's data block, like 40100, 40110...etc)
  2. ^\d{0}_Reg_Packet_20[0-9][0-9]-[0-9][0-9]-[0-9][0-9].txt (it doesn't work, caused by the 0_Packet_2017-05-29.txt is not the starting line)

Does any one have a great solution to only black the "0_Packet_2017-05-29.txt" ? Thansk for help!

Tags (1)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-29-2017 06:37 AM

If you're blacklisting a file named like that then it should look like this:

 [monitor:///path/to/files/*.txt]
 blacklist = \d{1}_Packet_\d{4}-\d{2}-\d{2}\.txt

There isn't a "Reg_Packet" in your example Data just "Packet"s

If this is data within one file then you'll have to use SEDCMD in props like this:

 [sourcetypeName]
 SEDCMD-redacted = s/\d{1}_Packet_\d{4}-\d{2}-\d{2}\.txt//g
Reply

ggssa2000
Explorer
‎05-29-2017 08:12 PM

I aplogized that I didn't described the question properly.

  1. you're right about there is not "Reg_" in the name.
  2. I want to monitor the file within .txt at [monitor:///path/to/files/*.txt], and there are hundred of files with [number_Packet_year_month_day] format, and I want to monitor all of the files excluded the "0_Packet_year_month_day.txt" file.
  3. It doesn't work in your first suggestion blacklist = \d{1}_Packet_\d{4}-\d{2}-\d{2}\.txt caused it will block the file within 0's name, like 40100, 40110...etc, too.
  4. About the second suggestion, it is not data in the file, however, is the file's name. So the props.conf doesn't help in this case I guessed.

Here is a regex online website, and I put my example on there.
I screenshot the result applied your blacklist regex cmd, but it doesn't work.
Result: https://www.dropbox.com/s/8is9hhmlz7ye0v8/0_reg%20blacklist.png?dl=0

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...