实用的 splunk 过滤 白名单+黑名单
作者:互联网
Include files
Add the following line to your monitor stanza in the local/inputs.conf file for the app context that you defined the input.
whitelist = <your_custom regex>
For example, to monitor only files with the .log extension, make the following change:
[monitor:///mnt/logs]
whitelist = \.log$
Include multiple files
You can include multiple files in one line, using the "|" (pipe, or "OR") operator. For example, to include file names that contain query.log OR my.log, add the following line to the inputs.conf file:
whitelist = query\.log$|my\.log$
Or, you can include only files that match exactly. See the following example:
whitelist = /query\.log$|/my\.log$
The dollar symbol ( $ ) anchors the regular expression to the end of the line. There is no space before or after the pipe ( | ) operator.
Exclude files
Add the following line to your monitor stanza in the /local/inputs.conf configuration file for the app context in which you defined the input.
blacklist = <your_custom_regex>
If you create a blacklist entry for each file you want to ignore, Splunk Enterprise activates only the last filter.
Example 1: Exclude only files with a .txt extension
To ignore and not monitor only files with the txt extension, add the following line to the inputs.conf file:
[monitor:///mnt/logs]
blacklist = \.txt$
Example 2: Exclude files with a .txt or .gz extension
To ignore and not monitor all files with either the .txt extension or the .gz extension, add the following line to the inputs.conf file:
[monitor:///mnt/logs]
blacklist = \.(?:txt|gz)$
Example 3: Exclude an entire directory
To ignore entire directories beneath a monitor input, add the following line to the inputs.conf file:
[monitor:///mnt/logs]
blacklist = archive|historical|\.bak$
This example configures Splunk Enterprise to ignore all files under /mnt/logs/ within the archive or historical directories, and all files ending in the *.bak extension.
Example 4: Exclude a file whose name contains a string
To ignore files whose names contain a specific string, add the following line to the inputs.conf file:
[monitor:///mnt/logs] blacklist = 2009022[89]file\.txt$
This example ignores the webserver20090228file.txt and webserver20090229file.txt files under /mnt/logs/.
Example 5: Exclude Windows Event Code 4662 events whose Message field contains a specific value
To ignore Windows Event Code 4662 events whose Message field contains events with the value Account Name: "example account", add the following line to the inputs.conf file:
[WinEventLog:Security] blacklist1 = EventCode = "4662" Message = "Account Name:\s+(example account)"
参考:https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Whitelistorblacklistspecificincomingdata
标签:files,monitor,黑名单,following,file,splunk,白名单,line,txt 来源: https://blog.csdn.net/shenghuiping2001/article/details/120547135