All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use of Blacklist and Wildcards in File/Directory Information Inputs App

bimord
Path Finder
‎11-04-2020 05:10 PM

Hi @LukeMurphey 

I am implementing this app to our environment and I was wondering if it is possible to do a few things?

  • use a wildcard in the file_path inputs ?
    • e.g. file_path = C:\Users\...\Chrome OR file_path=C:\Users\*\Local
  • use a blacklist to ignore certain file types ?
    • e.g. blacklist1 = lnk$

Thanks in advance 🙂

Labels (1)
Labels
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-05-2020 06:06 AM

Yes, you can do both of those things. It's very common to use, for example, blacklist1 = \.gz$ to avoid indexing compressed files (often in the case of rolled log files).

See https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Inputsconf#MONITOR:

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bimord
Path Finder
‎11-05-2020 01:36 PM

thanks @richgalloway for the feedback on the use of blacklist for use in inputs.conf.

Do you happen to have an example of how to use wildcards for the file_path field used by this app?

Cheers

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-05-2020 02:09 PM

Sorry, I was thinking of a different app when I gave my previous answer.  The file_meta_data app has a "file_filter" option that appears to be what you're looking for, but I have no experience with the app so I don't know for sure.

The app is marked as Not Supported, but it may be worth contacting the developer for assistance or, at least, documentation.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bimord
Path Finder
‎11-05-2020 08:11 PM

Yeah having tried to used blacklist for the file_meta_data app i can see from the internal logs that it isn't supported.

I also tried the file_filter field but it seems to act more like a whitelist and so isn't working for my use case.

@LukeMurpheyis the developer of this app (hence why I started my post with his member link) so hopefully he will see this post and let me know how to get the ball rolling 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...