Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

blacklist not working

a212830
Champion
‎05-20-2013 06:47 PM

Hi,

I have an inputs.conf that is picking up a file that I want blacklisted. The file name is summary_1.diag. I thought this would filter it out. Any suggestions?

[monitor://F:\IBM\Lotus\Domino\Trace\*.diag]
sourcetype = STCommunityTraceLogs_diag
index = euc_sametimedata
disabled = false
followTail = 0
crcSalt = <SOURCE>
blacklist = summary_*.diag
Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎05-21-2013 12:16 AM

I think that your problem lies in the blacklist regex;

* is a quantifier which means 'match the preceding character zero or more times', and . (dot) means 'match any character' (including a literal dot). So summary_*.diag means summary followed by zero or more underscores, followed by a single character, followed by diag. This will match the following (and a lot of other strings);

summary.diag
summary_1diag
summary____Gdiag

However, it can not match summary_1.diag. A regex that matches summary_, followed by numbers, followed by .diag would look like;

summary_\d+\.diag

/K

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...