Fschange blacklist filter issues

Can anyone see anything wrong with the following blacklist. My goal is to exclude the the directories from being included in the fschange

[filter:blacklist:blcompany]
regex1 = /usr/local/company/jboss-versions/.*/jboss-as/server/.*/data/
regex2 = /usr/local/company/jboss-versions/.*/jboss-as/server/.*/work/
regex3 = /usr/local/company/jboss-versions/.*/jboss-as/server/.*/tmp/
regex4 = /usr/local/company/builds/.*/.*/data/
regex4 = /usr/local/company/builds/.*/.*/work/
regex4 = /usr/local/company/builds/.*/.*/tmp/

[fschange:/usr/local/company]
index = linux-security
recurse = true
followLinks = false
signedaudit = false
fullEvent = false
delayInMills = 1000
pollPeriod = 600
sourcetype = linux_company_fschange
filters = blcompany

and example directory that is showing up is

/usr/local/company/builds/test-server/2/data/hypersonic

asked 15 Jun '11, 12:30

imacdonald2
182●1●7
accept rate: 80%

edited 15 Jun '11, 15:30

jbsplunk ♦
11.1k●1●6●25

Maybe I spoke to soon I see a lot of enteries in the black listed directories that are marked as action=delete-parent, so it may be working as expected.

(15 Jun '11, 13:11) imacdonald2

Be the first one to answer this question!

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

fschange ×82
blacklist ×43

Asked: 15 Jun '11, 12:30

Seen: 673 times

Last updated: 15 Jun '11, 15:30

Fschange blacklist filter issues

Follow this question

Splunk Resources

Related questions