Getting Data In

Blacklist in inputs.conf not working as expected

Path Finder

I am attempting to monitor all the log with the word access.
But exclude one particular log file.

Here is my inputs.conf

index = nginx
sourcetype = access_combined
disabled = false
blacklist =

Can I specify the log file literally?

0 Karma


Hi hkkenderson,

blacklist is using regex to match, therefore you should use \. instead of just .. Try this:

 blacklist = app\.domain\.com\.access\.https\.log

This assues you want to literally match one dot and not just anything one time.

Hope this helps ...

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...