All Apps and Add-ons

Use of Blacklist and Wildcards in File/Directory Information Inputs App

bimord
Path Finder

Hi @LukeMurphey 

I am implementing this app to our environment and I was wondering if it is possible to do a few things?

  • use a wildcard in the file_path inputs ?
    • e.g. file_path = C:\Users\...\Chrome OR file_path=C:\Users\*\Local
  • use a blacklist to ignore certain file types ?
    • e.g. blacklist1 = lnk$

Thanks in advance 🙂

Labels (1)

richgalloway
SplunkTrust
SplunkTrust

Yes, you can do both of those things. It's very common to use, for example, blacklist1 = \.gz$ to avoid indexing compressed files (often in the case of rolled log files).

See https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Inputsconf#MONITOR:

---
If this reply helps you, Karma would be appreciated.
0 Karma

bimord
Path Finder

thanks @richgalloway for the feedback on the use of blacklist for use in inputs.conf.

Do you happen to have an example of how to use wildcards for the file_path field used by this app?

Cheers

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Sorry, I was thinking of a different app when I gave my previous answer.  The file_meta_data app has a "file_filter" option that appears to be what you're looking for, but I have no experience with the app so I don't know for sure.

The app is marked as Not Supported, but it may be worth contacting the developer for assistance or, at least, documentation.

---
If this reply helps you, Karma would be appreciated.
0 Karma

bimord
Path Finder

Yeah having tried to used blacklist for the file_meta_data app i can see from the internal logs that it isn't supported.

I also tried the file_filter field but it seems to act more like a whitelist and so isn't working for my use case.

@LukeMurpheyis the developer of this app (hence why I started my post with his member link) so hopefully he will see this post and let me know how to get the ball rolling 🙂

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...