https://community.splunk.com/t5/Getting-Data-In/Blacklist-problem/m-p/96191#M20036 <P>'splunk clean eventdata' clears data that has already been indexed. Since the data is coming in via a UF, and the UF has no indexes, this isn't a valid command. You could try to run 'splunk clean eventdata syslog -f', but would clear out ALL your syslog data, so use it carefully. It is possible that, if you've got a lot of data, that some of it is still queued on the forwarder. </P> <P>You could also look at the file input status by running the following command on the UF in $SPLUNK_HOME/bin/</P> <PRE><CODE>splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus </CODE></PRE> Fri, 06 May 2011 15:16:10 GMT jbsplunk 2011-05-06T15:16:10Z https://community.splunk.com/t5/Getting-Data-In/Blacklist-problem/m-p/96190#M20035 <P>I'm using the universal forwarder on Solaris.</P> <P>I set up the following input:</P> <P><CODE><BR /> [monitor:///var/log]<BR /> disabled = false<BR /> index = syslog<BR /> </CODE></P> <P>and then discovered the joy of /var/log/pool/poold, to which the system writes once every fifteen seconds. We don't really need or care about that log, so I added</P> <P><CODE><BR /> blacklist = .*poold$<BR /> </CODE></P> <P>and restarted the forwarder. I can see from the output of "splunk list monitor" that the file is no longer supposedly being watched, but I'm still getting new events from it!</P> <P>Someone else here mentioned that they used "splunk clean eventdata" to clear up this sort of problem, but that only works with the full Splunk install, not with the universal forwarder.</P> <P>Any ideas?</P> Fri, 06 May 2011 05:53:35 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklist-problem/m-p/96190#M20035 mjmcleod 2011-05-06T05:53:35Z https://community.splunk.com/t5/Getting-Data-In/Blacklist-problem/m-p/96191#M20036 <P>'splunk clean eventdata' clears data that has already been indexed. Since the data is coming in via a UF, and the UF has no indexes, this isn't a valid command. You could try to run 'splunk clean eventdata syslog -f', but would clear out ALL your syslog data, so use it carefully. It is possible that, if you've got a lot of data, that some of it is still queued on the forwarder. </P> <P>You could also look at the file input status by running the following command on the UF in $SPLUNK_HOME/bin/</P> <PRE><CODE>splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus </CODE></PRE> Fri, 06 May 2011 15:16:10 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklist-problem/m-p/96191#M20036 jbsplunk 2011-05-06T15:16:10Z https://community.splunk.com/t5/Getting-Data-In/Blacklist-problem/m-p/96192#M20037 <P>I'd been giving it a good 30 minutes to clear the forwarder queue, but it was still going.</P> <P>Came back today after the weekend and it's stopped pushing data over from that log. So something of a false alarm!</P> Tue, 10 May 2011 05:09:24 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklist-problem/m-p/96192#M20037 mjmcleod 2011-05-10T05:09:24Z