https://community.splunk.com/t5/Getting-Data-In/Blacklisting-directories-without-read-permission/m-p/299255#M56598 <P>Hi scottprigge,<BR /> try to use <CODE>blacklist = lost\+found</CODE><BR /> and then restart Splunk on Forwarder.<BR /> Bye.<BR /> Giuseppe</P> Thu, 24 Aug 2017 08:33:32 GMT gcusello 2017-08-24T08:33:32Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-directories-without-read-permission/m-p/299254#M56597 <P>Hi. I have configured a 6.5.3 Linux Universal Forwarder with an inputs.conf like this:</P> <PRE><CODE>[monitor:///www/*/logs/access_log*] disabled = 0 index = web sourcetype = access_combined crcSalt = &lt;SOURCE&gt; blacklist = \.gz$|lost\+found </CODE></PRE> <P>I am trying to blacklist a directory named '/www/lost+found' because the splunk user does not have read-permission to this directory. But the blacklist regex isn't working because I am still seeing a <CODE>WARN FilesystemChangeWatcher - error reading directory "/www/lost+found": Permission denied</CODE> error in the _internal log. It seems to be ignoring .gz files as I would expect. Is this an issue with the regex? Or is this more of an order-of-operations type of situation where it needs to read the directory before processing the blacklist?</P> Wed, 23 Aug 2017 20:27:30 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-directories-without-read-permission/m-p/299254#M56597 _smp_ 2017-08-23T20:27:30Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-directories-without-read-permission/m-p/299255#M56598 <P>Hi scottprigge,<BR /> try to use <CODE>blacklist = lost\+found</CODE><BR /> and then restart Splunk on Forwarder.<BR /> Bye.<BR /> Giuseppe</P> Thu, 24 Aug 2017 08:33:32 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-directories-without-read-permission/m-p/299255#M56598 gcusello 2017-08-24T08:33:32Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-directories-without-read-permission/m-p/299256#M56599 <P>Sorry, maybe I misunderstood something. But I already have that exact blacklist regex included in the stanza of my original post. The difference is that I also need to exclude files ending with a .gz extension so my regex looks like <CODE>\.gz$|lost\+found</CODE></P> Thu, 24 Aug 2017 12:25:07 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-directories-without-read-permission/m-p/299256#M56599 _smp_ 2017-08-24T12:25:07Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-directories-without-read-permission/m-p/299257#M56600 <P>Sorry I misunderstood,<BR /> try with</P> <PRE><CODE>blacklist = \.gz$|lost\+found. </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 25 Aug 2017 08:49:16 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-directories-without-read-permission/m-p/299257#M56600 gcusello 2017-08-25T08:49:16Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-directories-without-read-permission/m-p/299258#M56601 <P>No, that doesn't seem to have made any difference.</P> Fri, 25 Aug 2017 14:39:54 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-directories-without-read-permission/m-p/299258#M56601 _smp_ 2017-08-25T14:39:54Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-directories-without-read-permission/m-p/299259#M56602 <P>Try this:</P> <PRE><CODE> blacklist = \.gz$|(lost\+found) </CODE></PRE> Fri, 25 Aug 2017 15:10:17 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-directories-without-read-permission/m-p/299259#M56602 woodcock 2017-08-25T15:10:17Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-directories-without-read-permission/m-p/299260#M56603 <P>Unfortunately no, that didn't work either.</P> Fri, 25 Aug 2017 17:40:56 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-directories-without-read-permission/m-p/299260#M56603 _smp_ 2017-08-25T17:40:56Z