product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to set up the log to be rotated
- release date
- 2015-05-07
- last updated
- 2015-05-07
- version
- Splunk Enterprise 6.0.1
- Overview
- How to set up the log to be rotated
- Reference information
- content
-
Splunk judges whether the monitored data has been ingested by looking at the hash value of the data.
Since the hash value changes when the log is rotated and converted to compressed format, Splunk recognizes data that has already been ingested as new data and ingests it again.
Duplicate capture of events can occur if the rotated file is in compressed format and the watched directory contains the rotated file.
In this case, it is possible to set a whitelist or blacklist to exclude rotated files from being monitored.
*About whitelist and blacklist settings
- whitelist: Import only file names that contain the specified string
- blacklist: Import only file names that do not contain the specified string
Settings to exclude specific files from scanning
[Setting procedure for importing only specific files in whitelist]
- Edit the following configuration files.
$SPLUNK_HOME/etc/<任意のapp>/local/inputs.conf
[monitor://<監視対象ディレクトリおよびファイルのパス等>]
whitelist = \.log$*Set a regular expression that specifies the target to be imported in the whitelist.
- Restart the Splunk service.
[Setting procedure to exclude only specific files from being imported in blacklist]
- Edit the following configuration files.
$SPLUNK_HOME/etc/<任意のapp>/local/inputs.conf
[monitor://<監視対象ディレクトリおよびファイルのパス等>]
blacklist = \.gz$* Set a regular expression that specifies the exclusion target for importing in blacklist.
- Restart the Splunk service.
that's all
"
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30