All,
I am getting an alert "Saved Search [ForwarderLevel - File Too Small to checkCRC occurring multiple times]: number of events (18) "
The file is a file on my Solaris boxes.
'/etc/dfs/sharetab'
I don't care about this file, so I thought I could just black list it in my inputs.conf like this. But doens't seem to be working. Any idea what I am missing?
[monitor:///etc]
index = configs
whitelist=(\.conf|\.cfg|config$|\.ini|\.init|\.cf|\.cnf|shrc$|^ifcfg|\.profile|\.rc|\.rules|\.tab|tab$|\.login|policy$)
blacklist = sharetab
disabled = False
I'm not personally familiar with blacklisting, but I'm fairly confident you just need to use regex, e.g.:
blacklist = */sharetab/?*
https://docs.splunk.com/Documentation/Splunk/latest/Admin/InputsConf#MONITOR: