Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex setting about blacklist in UF's inputs.conf

ggssa2000
Explorer
‎05-28-2017 07:15 PM

**Hi, I am collecting the data below, and I using the UF in the client. Actually I only want the data except "0_Packet_2017-05-29.txt", and I tried the blacklist to do this. However there was something wrong when I writing the blacklist regex.

Text:

40100_Packet_2017-05-29.txt
40110_Packet_2017-05-29.txt
40120_Packet_2017-05-29.txt
40130_Packet_2017-05-29.txt
40140_Packet_2017-05-29.txt
0_Packet_2017-05-29.txt

I have tried these way but failed :

  1. \d{1}_Reg_Packet_20[0-9][0-9]-[0-9][0-9]-[0-9][0-9].txt (will result the other included 0's data block, like 40100, 40110...etc)
  2. ^\d{0}_Reg_Packet_20[0-9][0-9]-[0-9][0-9]-[0-9][0-9].txt (it doesn't work, caused by the 0_Packet_2017-05-29.txt is not the starting line)

Does any one have a great solution to only black the "0_Packet_2017-05-29.txt" ? Thansk for help!

Tags (1)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-29-2017 06:37 AM

If you're blacklisting a file named like that then it should look like this:

 [monitor:///path/to/files/*.txt]
 blacklist = \d{1}_Packet_\d{4}-\d{2}-\d{2}\.txt

There isn't a "Reg_Packet" in your example Data just "Packet"s

If this is data within one file then you'll have to use SEDCMD in props like this:

 [sourcetypeName]
 SEDCMD-redacted = s/\d{1}_Packet_\d{4}-\d{2}-\d{2}\.txt//g
Reply

ggssa2000
Explorer
‎05-29-2017 08:12 PM

I aplogized that I didn't described the question properly.

  1. you're right about there is not "Reg_" in the name.
  2. I want to monitor the file within .txt at [monitor:///path/to/files/*.txt], and there are hundred of files with [number_Packet_year_month_day] format, and I want to monitor all of the files excluded the "0_Packet_year_month_day.txt" file.
  3. It doesn't work in your first suggestion blacklist = \d{1}_Packet_\d{4}-\d{2}-\d{2}\.txt caused it will block the file within 0's name, like 40100, 40110...etc, too.
  4. About the second suggestion, it is not data in the file, however, is the file's name. So the props.conf doesn't help in this case I guessed.

Here is a regex online website, and I put my example on there.
I screenshot the result applied your blacklist regex cmd, but it doesn't work.
Result: https://www.dropbox.com/s/8is9hhmlz7ye0v8/0_reg%20blacklist.png?dl=0

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...