https://community.splunk.com/t5/Getting-Data-In/inputs-conf-whitelist-blacklist-question/m-p/150484#M30593 <P>Greetings</P> <P>I have trying to gather logs by sifting through three levels of the file system with a white list and blacklist. It is not working and outside of creating a very long list of monitors I am not sure what to do anymore.</P> <P>Any help is much appreciated.</P> <P>Thanks!</P> <P>My config</P> <P>[monitor:///opt/transient/prod/data/xxxxxx/xxx/xx_ci/log/]<BR /> recursive = true<BR /> sourcetype=prd_xxx_xx_log<BR /> disabled = false<BR /> crcSalt = <SOURCE><BR /> whitelist = .dat$|.log$|.err$|.txt$<BR /> blacklist = .gz$</SOURCE></P> <P>[monitor:///opt/transient/prod/data/xxxxxx/xxx/xxx_ci/error/]<BR /> recursive = true<BR /> sourcetype=prd_xxx_xx_error<BR /> disabled = false<BR /> crcSalt = <SOURCE><BR /> whitelist = .dat$|.log$|.err$|.txt$<BR /> blacklist = .gz$</SOURCE></P> <P>Any ideas?</P> Mon, 28 Sep 2020 16:31:24 GMT ebailey 2020-09-28T16:31:24Z https://community.splunk.com/t5/Getting-Data-In/inputs-conf-whitelist-blacklist-question/m-p/150484#M30593 <P>Greetings</P> <P>I have trying to gather logs by sifting through three levels of the file system with a white list and blacklist. It is not working and outside of creating a very long list of monitors I am not sure what to do anymore.</P> <P>Any help is much appreciated.</P> <P>Thanks!</P> <P>My config</P> <P>[monitor:///opt/transient/prod/data/xxxxxx/xxx/xx_ci/log/]<BR /> recursive = true<BR /> sourcetype=prd_xxx_xx_log<BR /> disabled = false<BR /> crcSalt = <SOURCE><BR /> whitelist = .dat$|.log$|.err$|.txt$<BR /> blacklist = .gz$</SOURCE></P> <P>[monitor:///opt/transient/prod/data/xxxxxx/xxx/xxx_ci/error/]<BR /> recursive = true<BR /> sourcetype=prd_xxx_xx_error<BR /> disabled = false<BR /> crcSalt = <SOURCE><BR /> whitelist = .dat$|.log$|.err$|.txt$<BR /> blacklist = .gz$</SOURCE></P> <P>Any ideas?</P> Mon, 28 Sep 2020 16:31:24 GMT https://community.splunk.com/t5/Getting-Data-In/inputs-conf-whitelist-blacklist-question/m-p/150484#M30593 ebailey 2020-09-28T16:31:24Z https://community.splunk.com/t5/Getting-Data-In/inputs-conf-whitelist-blacklist-question/m-p/150485#M30594 <P>Yes! Ditch the blacklist. You only need the whitelist. You also don't need the <CODE>recursive</CODE> - that's the default.</P> <P>Finally - why do you have the crcSalt? </P> Fri, 02 May 2014 16:22:44 GMT https://community.splunk.com/t5/Getting-Data-In/inputs-conf-whitelist-blacklist-question/m-p/150485#M30594 lguinn2 2014-05-02T16:22:44Z https://community.splunk.com/t5/Getting-Data-In/inputs-conf-whitelist-blacklist-question/m-p/150486#M30595 <P>Thanks!</P> <P>I use crcSalt with the expectation it is going to be needed. I pulled it out.</P> <P>Question - I made the changes you recommended and the results look good except now I am picking up files such as </P> <P>test.dat.lock also I am picking up all . files such as </P> <P>.work</P> <P>Any ideas?</P> <P>Thanks</P> <P>Ed</P> Mon, 05 May 2014 11:10:21 GMT https://community.splunk.com/t5/Getting-Data-In/inputs-conf-whitelist-blacklist-question/m-p/150486#M30595 ebailey 2014-05-05T11:10:21Z https://community.splunk.com/t5/Getting-Data-In/inputs-conf-whitelist-blacklist-question/m-p/150487#M30596 <P>why to give 'blacklist' of Specific extensions of compressed files to exclude, where splunk already ignores..</P> <P>packed_extensions_list:<BR /> bz, bz2, tbz, tbz2, Z, gz, tgz, tar, zip</P> Mon, 28 Sep 2020 17:35:32 GMT https://community.splunk.com/t5/Getting-Data-In/inputs-conf-whitelist-blacklist-question/m-p/150487#M30596 neelamssantosh 2020-09-28T17:35:32Z https://community.splunk.com/t5/Getting-Data-In/inputs-conf-whitelist-blacklist-question/m-p/150488#M30597 <P>hmmm, this <CODE>packed_extensions_list</CODE> is an option to crawl.conf only <A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/admin/Crawlconf">http://docs.splunk.com/Documentation/Splunk/6.1.3/admin/Crawlconf</A></P> <P>and here would be the correct statement regarding compressed files from <A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/MonitorFilesandDirectories">http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/MonitorFilesandDirectories</A></P> <UL> <LI>Splunk Enterprise decompresses archive files before it indexes them. It can handle these common archive file types: tar, gz, bz2, tar.gz, tgz, tbz, bz2, zip, and z.</LI> </UL> Tue, 16 Sep 2014 11:04:02 GMT https://community.splunk.com/t5/Getting-Data-In/inputs-conf-whitelist-blacklist-question/m-p/150488#M30597 MuS 2014-09-16T11:04:02Z