https://community.splunk.com/t5/Getting-Data-In/Blacklist-directory-names-not-working/m-p/98650#M20627 <P>I've added the following blacklist line:</P> <PRE><CODE>[monitor:///usr/local/alert/logs] blacklist = (bak|sqlsync|syncdb_log|sql_bak|WebCorder) </CODE></PRE> <P>And yet I see in my sources the following files are being indexed for that monitor:</P> <PRE><CODE>/usr/local/alert/logs/bak/ipdlog_new.12133 | 17,016 /usr/local/alert/logs/bak/ipdlog_new.18100 | 15,770 /usr/local/alert/logs/bak/ipdlog_new.9881 | 15,727 /usr/local/alert/logs/WebCorder/FF27774.65391.72094_001_act_src.html | 1 /usr/local/alert/logs/WebCorder/FF27774.65391.72094_002_act_src.html | 1 </CODE></PRE> <P>So clearly the blacklist is not working.</P> <P>Any help?</P> Fri, 03 Dec 2010 04:51:12 GMT jackal242 2010-12-03T04:51:12Z https://community.splunk.com/t5/Getting-Data-In/Blacklist-directory-names-not-working/m-p/98650#M20627 <P>I've added the following blacklist line:</P> <PRE><CODE>[monitor:///usr/local/alert/logs] blacklist = (bak|sqlsync|syncdb_log|sql_bak|WebCorder) </CODE></PRE> <P>And yet I see in my sources the following files are being indexed for that monitor:</P> <PRE><CODE>/usr/local/alert/logs/bak/ipdlog_new.12133 | 17,016 /usr/local/alert/logs/bak/ipdlog_new.18100 | 15,770 /usr/local/alert/logs/bak/ipdlog_new.9881 | 15,727 /usr/local/alert/logs/WebCorder/FF27774.65391.72094_001_act_src.html | 1 /usr/local/alert/logs/WebCorder/FF27774.65391.72094_002_act_src.html | 1 </CODE></PRE> <P>So clearly the blacklist is not working.</P> <P>Any help?</P> Fri, 03 Dec 2010 04:51:12 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklist-directory-names-not-working/m-p/98650#M20627 jackal242 2010-12-03T04:51:12Z https://community.splunk.com/t5/Getting-Data-In/Blacklist-directory-names-not-working/m-p/98651#M20628 <P>I found the problem.</P> <P>The problem is that I had already indexed the directory once without the blacklist and nothing removed those sources.</P> <P>I thought removing the monitor and readding it with the blacklist would remove all the unwanted directories.</P> <P>I had to do a "splunk clean eventdata" to get it to remove all the unwanted source directories that are now in the blacklist.</P> Fri, 03 Dec 2010 05:26:45 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklist-directory-names-not-working/m-p/98651#M20628 jackal242 2010-12-03T05:26:45Z https://community.splunk.com/t5/Getting-Data-In/Blacklist-directory-names-not-working/m-p/98652#M20629 <P>(Some additional information for you)</P> <P>The "Search" app's initial Dashboard (the Summary page) is generated by running several searches against the already-indexed data. The sources list runs the following search:</P> <PRE><CODE>| metadata sources </CODE></PRE> <P>This includes an up to date event count which is updated roughly every 25 seconds. More info on the metadata command is available at <A href="http://www.splunk.com/base/Documentation/latest/SearchReference/Metadata" rel="nofollow">http://www.splunk.com/base/Documentation/latest/SearchReference/Metadata</A>.</P> <P>As you commented, removing an input from Splunk does not delete already indexed data from the index - it stops Splunk from indexing any additional data from those files.</P> Fri, 03 Dec 2010 20:53:10 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklist-directory-names-not-working/m-p/98652#M20629 dwaddle 2010-12-03T20:53:10Z https://community.splunk.com/t5/Getting-Data-In/Blacklist-directory-names-not-working/m-p/98653#M20630 <P>Thanks Amrit for the additional detail here.</P> Fri, 03 Dec 2010 20:53:38 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklist-directory-names-not-working/m-p/98653#M20630 dwaddle 2010-12-03T20:53:38Z