Getting Data In
Highlighted

Blacklist directories?

Explorer

I'm missing something here:

blacklist = (samba|yum|.gz)

samba is a directory, the others are files.

splunk still tries to monitor samba here, I see it in the output of "splunk list monitor". Also splunkd.log says permission denied for samba, which means it's not ignoring it.

What am I missing? Is there a problem with the regex?

Ustun

Tags (1)
0 Karma
Highlighted

Re: Blacklist directories?

Path Finder

try it that: lacklist.0 = complete path of samba folder lacklist.1 = *yum lacklist.2 = *.gz

Amaral

0 Karma
Highlighted

Re: Blacklist directories?

Explorer

It didn't work that way either, I don't see a problem with this simple regex. I guess something else is going on. Will update once resolved.

Ustun

0 Karma
Highlighted

Re: Blacklist directories?

Contributor

I haven't seen any example that you can blacklist directory yet

0 Karma
Highlighted

Re: Blacklist directories?

Communicator

This answer is late, but for this problem you can just add the stanza below for your inputs.conf

[blacklist://<path>]

Cheers,
Dan

0 Karma