https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39515#M7341 <P>I am attempting to blacklist all files that end with these extensions in my inputs.conf file. The blacklist is not working correctly. These are image files located under a /images directory on the web server. These files are Not in the same directory as the log file. They are directory entries in the nginx-access log file contents. <BR /> For example</P> <PRE><CODE>/wd/code/websites/wd-current/www/images/* /wd/code/websites/wd-current/www/js/resources/* /wd/code/websites/sample.it/www/resources/* </CODE></PRE> <P>I have attempted a few different methods. Any suggestions? </P> <PRE><CODE>[default] host = oh.br0ther.com [monitor:///var/log/nginx-access.log] blacklist= \.(jpg|png|gif|mov|js|swf|mp4|jar|signed|flv)$ </CODE></PRE> Tue, 20 Nov 2012 02:18:48 GMT Voltaire 2012-11-20T02:18:48Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39515#M7341 <P>I am attempting to blacklist all files that end with these extensions in my inputs.conf file. The blacklist is not working correctly. These are image files located under a /images directory on the web server. These files are Not in the same directory as the log file. They are directory entries in the nginx-access log file contents. <BR /> For example</P> <PRE><CODE>/wd/code/websites/wd-current/www/images/* /wd/code/websites/wd-current/www/js/resources/* /wd/code/websites/sample.it/www/resources/* </CODE></PRE> <P>I have attempted a few different methods. Any suggestions? </P> <PRE><CODE>[default] host = oh.br0ther.com [monitor:///var/log/nginx-access.log] blacklist= \.(jpg|png|gif|mov|js|swf|mp4|jar|signed|flv)$ </CODE></PRE> Tue, 20 Nov 2012 02:18:48 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39515#M7341 Voltaire 2012-11-20T02:18:48Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39516#M7342 <P>Are you trying to block files from being read by Splunk or to block specific lines of a logfile from being indexed?</P> Tue, 20 Nov 2012 08:09:53 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39516#M7342 martin_mueller 2012-11-20T08:09:53Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39517#M7343 <P>I am trying to block files from being read by splunk in those directories. <BR /> Thank you.</P> Tue, 20 Nov 2012 18:27:02 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39517#M7343 Voltaire 2012-11-20T18:27:02Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39518#M7344 <P>Your stanza will monitor only the following files:<BR /><BR /> 1 - files named <CODE>/var/log/nginx-access.log</CODE><BR /><BR /> 2 - files underneath a directory named <CODE>/var/log/nginx-access.log</CODE></P> <P>Since this is <STRONG>not</STRONG> the stanza that is monitoring the directories that you name, putting the blacklist here will not help.</P> <P>I don't see anything wrong with your blacklist, it just needs to be moved so that it will be part of the proper monitor stanza.</P> Tue, 20 Nov 2012 18:45:59 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39518#M7344 lguinn2 2012-11-20T18:45:59Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39519#M7345 <P>In your file monitoring stanza above you are referencing a file and not a directory. If I wanted to monitor the images directory and blacklist all of the image files I would so something like this:</P> <PRE><CODE>[monitor:///wd/code/websites/wd-current/www/images/*] index = myindex sourcetype = mysourcetype blacklist= \.(jpg|png|gif|mov|js|swf|mp4|jar|signed|flv)$ </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0/Data/Monitorfilesanddirectories">http://docs.splunk.com/Documentation/Splunk/5.0/Data/Monitorfilesanddirectories</A></P> Tue, 20 Nov 2012 18:49:31 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39519#M7345 sdaniels 2012-11-20T18:49:31Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39520#M7346 <P>Thank you Lisa!</P> Tue, 20 Nov 2012 19:04:03 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39520#M7346 Voltaire 2012-11-20T19:04:03Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39521#M7347 <P>Excellent, just modified inputs.conf on my forwarder. Would this command work if I wanted to exclude all files under the www directory in any of the subfolders? or do I have to add a different syntax ?<BR /> for example<BR /> [monitor:///wd/code/websites/wd-current/www/.../*]</P> <P>Thank you!</P> Tue, 20 Nov 2012 19:07:20 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39521#M7347 Voltaire 2012-11-20T19:07:20Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39522#M7348 <P>Some examples here. You can use elipsis wildcards or *.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0/data/Specifyinputpathswithwildcards">http://docs.splunk.com/Documentation/Splunk/5.0/data/Specifyinputpathswithwildcards</A></P> Tue, 20 Nov 2012 19:09:33 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39522#M7348 sdaniels 2012-11-20T19:09:33Z https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39523#M7349 <P>Nice ! thats where I found the reference. Thank you!</P> Wed, 21 Nov 2012 01:22:06 GMT https://community.splunk.com/t5/Getting-Data-In/Blacklisting-clarification/m-p/39523#M7349 Voltaire 2012-11-21T01:22:06Z