实用的 splunk 过滤白名单+黑名单

2023-10-25 22:16:46

Include files

Add the following line to your monitor stanza in the local/inputs.conf file for the app context that you defined the input.

whitelist = <your_custom regex>

For example, to monitor only files with the .log extension, make the following change:

[monitor:///mnt/logs]
    whitelist = \.log$

Include multiple files

You can include multiple files in one line, using the "|" (pipe, or "OR") operator. For example, to include file names that contain query.log OR my.log, add the following line to the inputs.conf file:

whitelist = query\.log$|my\.log$

Or, you can include only files that match exactly. See the following example:

whitelist = /query\.log$|/my\.log$

The dollar symbol ( $ ) anchors the regular expression to the end of the line. There is no space before or after the pipe ( | ) operator.

Exclude files

Add the following line to your monitor stanza in the /local/inputs.conf configuration file for the app context in which you defined the input.

blacklist = <your_custom_regex>

If you create a blacklist entry for each file you want to ignore, Splunk Enterprise activates only the last filter.

Example 1: Exclude only files with a .txt extension

To ignore and not monitor only files with the txt extension, add the following line to the inputs.conf file:

[monitor:///mnt/logs]
    blacklist = \.txt$

Example 2: Exclude files with a .txt or .gz extension

To ignore and not monitor all files with either the .txt extension or the .gz extension, add the following line to the inputs.conf file:

[monitor:///mnt/logs]
    blacklist = \.(?:txt|gz)$

Example 3: Exclude an entire directory

To ignore entire directories beneath a monitor input, add the following line to the inputs.conf file:

[monitor:///mnt/logs]
    blacklist = archive|historical|\.bak$

This example configures Splunk Enterprise to ignore all files under /mnt/logs/ within the archive or historical directories, and all files ending in the *.bak extension.

Example 4: Exclude a file whose name contains a string

To ignore files whose names contain a specific string, add the following line to the inputs.conf file:

[monitor:///mnt/logs]
   blacklist = 2009022[89]file\.txt$

This example ignores the webserver20090228file.txt and webserver20090229file.txt files under /mnt/logs/.

Example 5: Exclude Windows Event Code 4662 events whose Message field contains a specific value

To ignore Windows Event Code 4662 events whose Message field contains events with the value Account Name: "example account", add the following line to the inputs.conf file:

[WinEventLog:Security]
blacklist1 = EventCode = "4662" Message = "Account Name:\s+(example account)"

参考：https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Whitelistorblacklistspecificincomingdata

码农公寓