All Apps and Add-ons

Use of Blacklist and Wildcards in File/Directory Information Inputs App

bimord
Path Finder

Hi @LukeMurphey 

I am implementing this app to our environment and I was wondering if it is possible to do a few things?

  • use a wildcard in the file_path inputs ?
    • e.g. file_path = C:\Users\...\Chrome OR file_path=C:\Users\*\Local
  • use a blacklist to ignore certain file types ?
    • e.g. blacklist1 = lnk$

Thanks in advance 🙂

Labels (1)

richgalloway
SplunkTrust
SplunkTrust

Yes, you can do both of those things. It's very common to use, for example, blacklist1 = \.gz$ to avoid indexing compressed files (often in the case of rolled log files).

See https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Inputsconf#MONITOR:

---
If this reply helps you, Karma would be appreciated.
0 Karma

bimord
Path Finder

thanks @richgalloway for the feedback on the use of blacklist for use in inputs.conf.

Do you happen to have an example of how to use wildcards for the file_path field used by this app?

Cheers

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Sorry, I was thinking of a different app when I gave my previous answer.  The file_meta_data app has a "file_filter" option that appears to be what you're looking for, but I have no experience with the app so I don't know for sure.

The app is marked as Not Supported, but it may be worth contacting the developer for assistance or, at least, documentation.

---
If this reply helps you, Karma would be appreciated.
0 Karma

bimord
Path Finder

Yeah having tried to used blacklist for the file_meta_data app i can see from the internal logs that it isn't supported.

I also tried the file_filter field but it seems to act more like a whitelist and so isn't working for my use case.

@LukeMurpheyis the developer of this app (hence why I started my post with his member link) so hopefully he will see this post and let me know how to get the ball rolling 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...