All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use of Blacklist and Wildcards in File/Directory Information Inputs App

bimord
Path Finder
‎11-04-2020 05:10 PM

Hi @LukeMurphey 

I am implementing this app to our environment and I was wondering if it is possible to do a few things?

  • use a wildcard in the file_path inputs ?
    • e.g. file_path = C:\Users\...\Chrome OR file_path=C:\Users\*\Local
  • use a blacklist to ignore certain file types ?
    • e.g. blacklist1 = lnk$

Thanks in advance 🙂

Labels (1)
Labels
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-05-2020 06:06 AM

Yes, you can do both of those things. It's very common to use, for example, blacklist1 = \.gz$ to avoid indexing compressed files (often in the case of rolled log files).

See https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Inputsconf#MONITOR:

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bimord
Path Finder
‎11-05-2020 01:36 PM

thanks @richgalloway for the feedback on the use of blacklist for use in inputs.conf.

Do you happen to have an example of how to use wildcards for the file_path field used by this app?

Cheers

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-05-2020 02:09 PM

Sorry, I was thinking of a different app when I gave my previous answer.  The file_meta_data app has a "file_filter" option that appears to be what you're looking for, but I have no experience with the app so I don't know for sure.

The app is marked as Not Supported, but it may be worth contacting the developer for assistance or, at least, documentation.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bimord
Path Finder
‎11-05-2020 08:11 PM

Yeah having tried to used blacklist for the file_meta_data app i can see from the internal logs that it isn't supported.

I also tried the file_filter field but it seems to act more like a whitelist and so isn't working for my use case.

@LukeMurpheyis the developer of this app (hence why I started my post with his member link) so hopefully he will see this post and let me know how to get the ball rolling 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...