whitelist and blacklist input

virtualpony · ‎04-15-2013

Hi, I am trying to construct an input.conf stanza + whitelist/blacklist rule to look for the following:

accept all **.log* files but specifically ignore
log4j.log, broker.log, somefile.log

This is how the input.conf file looks like right now:

[monitor://D:\ProgramName\logs]
whitelist=\.log$
blacklist=log4j|broker|somefile
disabled=false
sourcetype=newsourcetype

but at the moment it doesnt look like anything is being picked up with this combination. I have confirmed that the universal forwarder has installed this app.

JSapienza · ‎04-16-2013

Try :

[monitor://D:\ProgramName\logs\*.log]
blacklist = (log4j|broker|somefile)
disabled=false
sourcetype=newsourcetype

Also you might want to review these :

Whitelist or blacklist specific incoming data

Edit Inputs.conf

JSapienza · ‎04-16-2013

Well then there is another underlying issue because that is a valid input stanza. Are other files/directories being monitored on this machine and is that data visible from the search-head? Is this a manual deploy or are you using deployment server to push your changes ?

virtualpony · ‎04-16-2013

Sorry, this doesn't work either.

whitelist and blacklist input

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio