Getting Data In

Blacklist a file in my inputs.conf stanza?

daniel333
Builder

All,

I am getting an alert "Saved Search [ForwarderLevel - File Too Small to checkCRC occurring multiple times]: number of events (18) "

The file is a file on my Solaris boxes.

'/etc/dfs/sharetab'

I don't care about this file, so I thought I could just black list it in my inputs.conf like this. But doens't seem to be working. Any idea what I am missing?

[monitor:///etc]
  index = configs
whitelist=(\.conf|\.cfg|config$|\.ini|\.init|\.cf|\.cnf|shrc$|^ifcfg|\.profile|\.rc|\.rules|\.tab|tab$|\.login|policy$)
  blacklist = sharetab
disabled = False
Tags (1)
0 Karma

jacobpevans
Motivator

I'm not personally familiar with blacklisting, but I'm fairly confident you just need to use regex, e.g.:

blacklist = */sharetab/?*

https://docs.splunk.com/Documentation/Splunk/latest/Admin/InputsConf#MONITOR:

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...