https://community.splunk.com/t5/Getting-Data-In/How-do-I-correct-my-forwarder-blacklist-configuration-for-FTP/m-p/253950#M48757 <P>Dear Community,</P> <P>In our Webserver we have the following Logs: <CODE>F:\IIS-Log</CODE><BR /> Sometimes we have <CODE>F:\IIS-LOG\FTP</CODE> and <CODE>F:\IIS-LOG\WWW</CODE> in this folder and sometimes the logs are stored on the Webserver without the FTP and WWW subfolders.</P> <P>So we created following "inputs.conf" entry for our Windows-Webserver-APP (Deployment App):</P> <PRE><CODE>[monitor://C:\inetpub\logs\LogFiles] blacklist=*\FTP*$ index=winwebserver sourcetype=iis disabled=0 [monitor://F:\IIS-Log] index=winwebserver sourcetype=iis blacklist=*\FTP*$ disabled=0 </CODE></PRE> <P>The Problem is, we still get the Logs from the <CODE>F:\IIS-LOG\FTP\</CODE> Folder...<BR /> we need the <CODE>*</CODE> wildcard because sometimes the Logs are stored in <CODE>F:\IIS-LOG\FTPSCV1\</CODE> folder etc.</P> <P>How to correctly blacklist the FTP-Logs?</P> Tue, 01 Dec 2015 10:17:04 GMT E_Andreas 2015-12-01T10:17:04Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-correct-my-forwarder-blacklist-configuration-for-FTP/m-p/253950#M48757 <P>Dear Community,</P> <P>In our Webserver we have the following Logs: <CODE>F:\IIS-Log</CODE><BR /> Sometimes we have <CODE>F:\IIS-LOG\FTP</CODE> and <CODE>F:\IIS-LOG\WWW</CODE> in this folder and sometimes the logs are stored on the Webserver without the FTP and WWW subfolders.</P> <P>So we created following "inputs.conf" entry for our Windows-Webserver-APP (Deployment App):</P> <PRE><CODE>[monitor://C:\inetpub\logs\LogFiles] blacklist=*\FTP*$ index=winwebserver sourcetype=iis disabled=0 [monitor://F:\IIS-Log] index=winwebserver sourcetype=iis blacklist=*\FTP*$ disabled=0 </CODE></PRE> <P>The Problem is, we still get the Logs from the <CODE>F:\IIS-LOG\FTP\</CODE> Folder...<BR /> we need the <CODE>*</CODE> wildcard because sometimes the Logs are stored in <CODE>F:\IIS-LOG\FTPSCV1\</CODE> folder etc.</P> <P>How to correctly blacklist the FTP-Logs?</P> Tue, 01 Dec 2015 10:17:04 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-correct-my-forwarder-blacklist-configuration-for-FTP/m-p/253950#M48757 E_Andreas 2015-12-01T10:17:04Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-correct-my-forwarder-blacklist-configuration-for-FTP/m-p/253951#M48758 <P>sorry i forgot the wildcard in the first post</P> <PRE><CODE>blacklist=FTP*$ </CODE></PRE> Tue, 01 Dec 2015 10:21:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-correct-my-forwarder-blacklist-configuration-for-FTP/m-p/253951#M48758 E_Andreas 2015-12-01T10:21:20Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-correct-my-forwarder-blacklist-configuration-for-FTP/m-p/253952#M48759 <P>The blacklist actually needs to be a regular expression. Remember that "*" is a reserved character meaning zero or more. Could you try doing the following?</P> <BLOCKQUOTE> <P>blacklist=FTP.*$ or maybe blacklist=FTP</P> </BLOCKQUOTE> <P>Here are some more examples.<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Whitelistorblacklistspecificincomingdata">http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Whitelistorblacklistspecificincomingdata</A></P> <P>You can test your regular expression at:</P> <P><A href="https://regex101.com/">https://regex101.com/</A></P> Tue, 01 Dec 2015 12:50:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-correct-my-forwarder-blacklist-configuration-for-FTP/m-p/253952#M48759 jaredlaney 2015-12-01T12:50:21Z