<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Deploying blacklist configuration in inputs.conf to universal forwarder in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Deploying-blacklist-configuration-in-inputs-conf-to-universal/m-p/51366#M9851</link>
    <description>&lt;P&gt;By default, &lt;CODE&gt;monitor://&lt;/CODE&gt; stanzas look for files recursively and settings in one stanza do not affect the other.  So, yes, it's entirely possible that your &lt;CODE&gt;/var/log/&lt;/CODE&gt; stanza is ignoring your blacklist for &lt;CODE&gt;/var/log/httpd&lt;/CODE&gt;.  A couple of workable options include:&lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;Blacklist "/var/log/httpd/.*" in your &lt;CODE&gt;/var/log&lt;/CODE&gt; stanza and use the &lt;CODE&gt;/var/log/httpd&lt;/CODE&gt; stanza to get all of those.&lt;/LI&gt;
&lt;LI&gt;Blacklist &lt;CODE&gt;goonhilly_access&lt;/CODE&gt; in your &lt;CODE&gt;/var/log&lt;/CODE&gt; stanza and don't have a &lt;CODE&gt;/var/log/httpd&lt;/CODE&gt; stanza at all.&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;There are CLI commands and REST endpoints to tell you which stanzas are detecting which files.  One of the most useful ways of display this is with Amrit's script @ &lt;A href="http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/"&gt;http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/&lt;/A&gt;&lt;/P&gt;</description>
    <pubDate>Sat, 14 Jan 2012 15:14:00 GMT</pubDate>
    <dc:creator>dwaddle</dc:creator>
    <dc:date>2012-01-14T15:14:00Z</dc:date>
    <item>
      <title>Deploying blacklist configuration in inputs.conf to universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Deploying-blacklist-configuration-in-inputs-conf-to-universal/m-p/51365#M9850</link>
      <description>&lt;P&gt;I am having problems blacklisting a sourcefile from being indexed.&lt;/P&gt;

&lt;P&gt;We currently run version 4.3 and deploy configurations to a number of remote universal forwarders.  &lt;/P&gt;

&lt;P&gt;By default, our universal forwarder indexes index everything, defined as follows:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;#/opt/splunkforwarder/etc/apps/search/local/inputs.conf
[monitor:///var/log]
disabled = false
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;There are several logs that are unnecessary and that generate large logs that I would like to stop from getting indexed.  To do that, I modified inputs.conf on the indexer/search head as follows:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;#/opt/splunk/etc/deployment-apps/forwarder/local/inputs.conf
[monitor:///var/log/httpd]
blacklist = goonhilly_access
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;As you can see, this inputs.conf file is different than the one that is used for the default configuration (search).&lt;/P&gt;

&lt;P&gt;I then deployed this to the remote universal forwarder in question and restarted.&lt;/P&gt;

&lt;P&gt;The problem is that the file is still getting indexed.&lt;/P&gt;

&lt;P&gt;Do I have a problem with inputs.conf files being in conflict?&lt;/P&gt;

&lt;P&gt;The &lt;BR /&gt;
Any ideas?&lt;/P&gt;</description>
      <pubDate>Sat, 14 Jan 2012 14:10:27 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Deploying-blacklist-configuration-in-inputs-conf-to-universal/m-p/51365#M9850</guid>
      <dc:creator>jcbrendsel</dc:creator>
      <dc:date>2012-01-14T14:10:27Z</dc:date>
    </item>
    <item>
      <title>Re: Deploying blacklist configuration in inputs.conf to universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Deploying-blacklist-configuration-in-inputs-conf-to-universal/m-p/51366#M9851</link>
      <description>&lt;P&gt;By default, &lt;CODE&gt;monitor://&lt;/CODE&gt; stanzas look for files recursively and settings in one stanza do not affect the other.  So, yes, it's entirely possible that your &lt;CODE&gt;/var/log/&lt;/CODE&gt; stanza is ignoring your blacklist for &lt;CODE&gt;/var/log/httpd&lt;/CODE&gt;.  A couple of workable options include:&lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;Blacklist "/var/log/httpd/.*" in your &lt;CODE&gt;/var/log&lt;/CODE&gt; stanza and use the &lt;CODE&gt;/var/log/httpd&lt;/CODE&gt; stanza to get all of those.&lt;/LI&gt;
&lt;LI&gt;Blacklist &lt;CODE&gt;goonhilly_access&lt;/CODE&gt; in your &lt;CODE&gt;/var/log&lt;/CODE&gt; stanza and don't have a &lt;CODE&gt;/var/log/httpd&lt;/CODE&gt; stanza at all.&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;There are CLI commands and REST endpoints to tell you which stanzas are detecting which files.  One of the most useful ways of display this is with Amrit's script @ &lt;A href="http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/"&gt;http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Sat, 14 Jan 2012 15:14:00 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Deploying-blacklist-configuration-in-inputs-conf-to-universal/m-p/51366#M9851</guid>
      <dc:creator>dwaddle</dc:creator>
      <dc:date>2012-01-14T15:14:00Z</dc:date>
    </item>
    <item>
      <title>Re: Deploying blacklist configuration in inputs.conf to universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Deploying-blacklist-configuration-in-inputs-conf-to-universal/m-p/51367#M9852</link>
      <description>&lt;P&gt;That did the trick.  Thanks.&lt;/P&gt;</description>
      <pubDate>Sun, 15 Jan 2012 03:40:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Deploying-blacklist-configuration-in-inputs-conf-to-universal/m-p/51367#M9852</guid>
      <dc:creator>jcbrendsel</dc:creator>
      <dc:date>2012-01-15T03:40:42Z</dc:date>
    </item>
    <item>
      <title>Re: Deploying blacklist configuration in inputs.conf to universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Deploying-blacklist-configuration-in-inputs-conf-to-universal/m-p/51368#M9853</link>
      <description>&lt;P&gt;I believe the line needs to be in regex format (according to:  &lt;A href="http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Whitelistorblacklistspecificincomingdata"&gt;http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Whitelistorblacklistspecificincomingdata&lt;/A&gt;).&lt;/P&gt;

&lt;P&gt;so, it should read:&lt;BR /&gt;
goonhilly_access$&lt;/P&gt;

&lt;P&gt;where $ = end of line&lt;/P&gt;</description>
      <pubDate>Thu, 08 Oct 2015 15:00:00 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Deploying-blacklist-configuration-in-inputs-conf-to-universal/m-p/51368#M9853</guid>
      <dc:creator>Michael</dc:creator>
      <dc:date>2015-10-08T15:00:00Z</dc:date>
    </item>
  </channel>
</rss>

