其他分享
首页 > 其他分享> > 实用的 splunk 过滤 白名单+黑名单

实用的 splunk 过滤 白名单+黑名单

作者:互联网

Include files

Add the following line to your monitor stanza in the local/inputs.conf file for the app context that you defined the input.

whitelist = <your_custom regex>

For example, to monitor only files with the .log extension, make the following change:

[monitor:///mnt/logs]
    whitelist = \.log$

Include multiple files

You can include multiple files in one line, using the "|" (pipe, or "OR") operator. For example, to include file names that contain query.log OR my.log, add the following line to the inputs.conf file:

whitelist = query\.log$|my\.log$

Or, you can include only files that match exactly. See the following example:

whitelist = /query\.log$|/my\.log$

The dollar symbol ( $ ) anchors the regular expression to the end of the line. There is no space before or after the pipe ( | ) operator.

Exclude files

Add the following line to your monitor stanza in the /local/inputs.conf configuration file for the app context in which you defined the input.

blacklist = <your_custom_regex>

If you create a blacklist entry for each file you want to ignore, Splunk Enterprise activates only the last filter.

Example 1: Exclude only files with a .txt extension

To ignore and not monitor only files with the txt extension, add the following line to the inputs.conf file:

[monitor:///mnt/logs]
    blacklist = \.txt$

Example 2: Exclude files with a .txt or .gz extension

To ignore and not monitor all files with either the .txt extension or the .gz extension, add the following line to the inputs.conf file:

[monitor:///mnt/logs]
    blacklist = \.(?:txt|gz)$

Example 3: Exclude an entire directory

To ignore entire directories beneath a monitor input, add the following line to the inputs.conf file:

[monitor:///mnt/logs]
    blacklist = archive|historical|\.bak$

This example configures Splunk Enterprise to ignore all files under /mnt/logs/ within the archive or historical directories, and all files ending in the *.bak extension.

Example 4: Exclude a file whose name contains a string

To ignore files whose names contain a specific string, add the following line to the inputs.conf file:

[monitor:///mnt/logs]
   blacklist = 2009022[89]file\.txt$

This example ignores the webserver20090228file.txt and webserver20090229file.txt files under /mnt/logs/.

Example 5: Exclude Windows Event Code 4662 events whose Message field contains a specific value

To ignore Windows Event Code 4662 events whose Message field contains events with the value Account Name: "example account", add the following line to the inputs.conf file:

[WinEventLog:Security]
blacklist1 = EventCode = "4662" Message = "Account Name:\s+(example account)"

参考:https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Whitelistorblacklistspecificincomingdata

标签:files,monitor,黑名单,following,file,splunk,白名单,line,txt
来源: https://blog.csdn.net/shenghuiping2001/article/details/120547135