https://community.splunk.com/t5/Getting-Data-In/How-to-use-blacklist-in-inputs-conf/m-p/429045#M75178 <P>Hi,</P> <P>How do you edit inputs.conf to blacklist some hosts from indexing and index those hosts to different index?</P> <P>list of the servers:</P> <P>/opt/logs/<BR /> server1<BR /> server2<BR /> server3<BR /> server4<BR /> server5<BR /> server6</P> <P>inputs.conf</P> <P>[monitor:///opt/logs/*/*log]<BR /> disabled = 0<BR /> host_segment = 4<BR /> index = abc<BR /> blacklist=(server4|server5)<BR /> sourcetype = abc<BR /> blacklist = .gz$</P> <P>[monitor:///opt/logs/*/*log]<BR /> disabled = 0<BR /> host_segment = 4<BR /> index = xyz<BR /> whitelsit=(server4|server5)<BR /> sourcetype = abc<BR /> blacklist = .gz$</P> Tue, 29 Sep 2020 21:02:49 GMT knalla 2020-09-29T21:02:49Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-blacklist-in-inputs-conf/m-p/429045#M75178 <P>Hi,</P> <P>How do you edit inputs.conf to blacklist some hosts from indexing and index those hosts to different index?</P> <P>list of the servers:</P> <P>/opt/logs/<BR /> server1<BR /> server2<BR /> server3<BR /> server4<BR /> server5<BR /> server6</P> <P>inputs.conf</P> <P>[monitor:///opt/logs/*/*log]<BR /> disabled = 0<BR /> host_segment = 4<BR /> index = abc<BR /> blacklist=(server4|server5)<BR /> sourcetype = abc<BR /> blacklist = .gz$</P> <P>[monitor:///opt/logs/*/*log]<BR /> disabled = 0<BR /> host_segment = 4<BR /> index = xyz<BR /> whitelsit=(server4|server5)<BR /> sourcetype = abc<BR /> blacklist = .gz$</P> Tue, 29 Sep 2020 21:02:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-blacklist-in-inputs-conf/m-p/429045#M75178 knalla 2020-09-29T21:02:49Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-blacklist-in-inputs-conf/m-p/429046#M75179 <P>Hi,<BR /> You can do this, please find the docs below.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_data_by_target_index">https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_data_by_target_index</A><BR /> you will have to blacklist them and assign to a different group name and mention that in outputs.conf</P> Tue, 28 Aug 2018 21:14:27 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-blacklist-in-inputs-conf/m-p/429046#M75179 pruthvikrishnap 2018-08-28T21:14:27Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-blacklist-in-inputs-conf/m-p/429047#M75180 <P>@knalla,</P> <P>Please refer to previous answers. Let me know if it helps you or not.</P> <P><A href="https://answers.splunk.com/answers/141957/blacklist-file-form-inputs-conf.html">https://answers.splunk.com/answers/141957/blacklist-file-form-inputs-conf.html</A></P> <P><A href="https://answers.splunk.com/answers/134091/inputs-conf-whitelist-blacklist-question.html">https://answers.splunk.com/answers/134091/inputs-conf-whitelist-blacklist-question.html</A></P> <P><A href="https://answers.splunk.com/answers/542588/how-to-edit-inputsconf-to-blacklist-an-eventcode.html">https://answers.splunk.com/answers/542588/how-to-edit-inputsconf-to-blacklist-an-eventcode.html</A></P> <P><A href="http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Whitelistorblacklistspecificincomingdata">http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Whitelistorblacklistspecificincomingdata</A></P> Wed, 29 Aug 2018 11:40:27 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-blacklist-in-inputs-conf/m-p/429047#M75180 Shan 2018-08-29T11:40:27Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-blacklist-in-inputs-conf/m-p/429048#M75181 <P>If a file matches the regexes in both the blacklist and whitelist settings, the file is NOT monitored. Blacklists take precedence over whitelists.</P> <P>Try this combination in inputs.conf and see of it works,</P> <PRE><CODE>[monitor:///opt/logs/*/*log] disabled = 0 host_segment = 4 index = abc whitelist=(server1|server2|server3|server6) sourcetype = abc blacklist = .gz$ [monitor:///opt/logs/*/*log] disabled = 0 host_segment = 4 index = xyz whitelsit=(server4|server5) sourcetype = abc blacklist = .gz$ </CODE></PRE> <P>Also, based on your monitor statement, I don't think <CODE>host_segment=4</CODE> will pick up directory name as hostname. Try host_segment=3.</P> <P>For example, if you set <CODE>host_segment=3</CODE> and the monitor path is <CODE>/opt/logs/host01/some.log</CODE>, Splunk software sets the host as "host01" because that is the third segment.</P> Wed, 29 Aug 2018 13:39:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-blacklist-in-inputs-conf/m-p/429048#M75181 sudosplunk 2018-08-29T13:39:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-blacklist-in-inputs-conf/m-p/429049#M75182 <P>Thanks for the response, I have multiple hosts to white list around 200 and black list around 10.</P> <P>can I use 2 blacklists in a stanza, one for the hosts and one for .gz$?</P> Thu, 30 Aug 2018 16:03:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-blacklist-in-inputs-conf/m-p/429049#M75182 knalla 2018-08-30T16:03:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-blacklist-in-inputs-conf/m-p/429050#M75183 <P>Since blacklist supports regex, you can define regex to capture all 200 OR 10 hosts. Let me know how your hostname(s) looks like and I will try to provide a regex.</P> <P>To my knowledge, you should be able to use 2 blacklists but be sure to number them, blacklist1, blacklist2, blacklist3 so on. More details <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor">here</A>. </P> <P>Alternatively, this should also work, <CODE>blacklist = server1|\.gz$</CODE></P> Thu, 30 Aug 2018 17:56:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-blacklist-in-inputs-conf/m-p/429050#M75183 sudosplunk 2018-08-30T17:56:07Z