product
- Why choose Splunk
- Installation record
- price
- Splunk Enterprise Security
- Splunk Phantom (SOAR)
- Splunk ITSI (Next Generation IT Operations)
- Splunk Observability Cloud
- Splunk UBA
- Macnica CSIRT App Basic
- App for Splunk for Financial Institutions
- Splunk Analytics for Hadoop
- About Apps
- Splunk Edge Hub
- What is Splunk
service
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to set up the log to be rotated
- release date
- 2015-05-07
- last updated
- 2015-05-07
- version
- Splunk Enterprise 6.0.1
- Overview
- How to set up the log to be rotated
- Reference information
- content
-
Splunk judges whether the monitored data has been ingested by looking at the hash value of the data.
Since the hash value changes when the log is rotated and converted to compressed format, Splunk recognizes data that has already been ingested as new data and ingests it again.
Duplicate capture of events can occur if the rotated file is in compressed format and the watched directory contains the rotated file.
In this case, it is possible to set a whitelist or blacklist to exclude rotated files from being monitored.
*About whitelist and blacklist settings
- whitelist: Import only file names that contain the specified string
- blacklist: Import only file names that do not contain the specified string
Settings to exclude specific files from scanning
[Setting procedure for importing only specific files in whitelist]
- Edit the following configuration files.
$SPLUNK_HOME/etc/<任意のapp>/local/inputs.conf
[monitor://<監視対象ディレクトリおよびファイルのパス等>]
whitelist = \.log$*Set a regular expression that specifies the target to be imported in the whitelist.
- Restart the Splunk service.
[Setting procedure to exclude only specific files from being imported in blacklist]
- Edit the following configuration files.
$SPLUNK_HOME/etc/<任意のapp>/local/inputs.conf
[monitor://<監視対象ディレクトリおよびファイルのパス等>]
blacklist = \.gz$* Set a regular expression that specifies the exclusion target for importing in blacklist.
- Restart the Splunk service.
that's all
"
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Weekdays: 9:00-17:00
