Getting Data In

Blacklisting directory not working - inputs.conf

pkeller
Contributor

inputs.conf

[monitor:///home/foo/logs/*/app]
whitelist = \.gmt.log$
blacklist = monitor
disabled = false

Underneath /home/foo/logs/base/app there are files named foo.YYYYMMDD.gmt.log
There's also a subdirectory named 'monitor'
The app rotates files from the 'app' directory to the 'monitor' directory

But, when I run 'splunk list monitor I see

    /home/foo/logs/base/app
    /home/foo/logs/base/app/foo.20150716.gmt.log
    /home/foo/logs/base/app/foo.20150718.gmt.log
    /home/foo/logs/base/app/monitor
    /home/foo/logs/base/app/monitor/foo.20150710.gmt.log
    /home/foo/logs/base/app/monitor/foo.20150711.gmt.log

Shouldn't those bottom 3 lines be omitted from the output?

Tags (2)
0 Karma
1 Solution

lguinn2
Legend

It looks like the whitelist overrides the blacklist, which is just the opposite of what I would expect. Try this instead:

 [monitor:///home/foo/logs/*/app/*.gmt.log]
 blacklist = monitor

View solution in original post

lguinn2
Legend

It looks like the whitelist overrides the blacklist, which is just the opposite of what I would expect. Try this instead:

 [monitor:///home/foo/logs/*/app/*.gmt.log]
 blacklist = monitor

View solution in original post

pkeller
Contributor

Thank you ... That definitely works ... My original monitor stanza had the exact syntax you specify ... (with no blacklist) ... What I found peculiar, is why splunkd would pursue even looking into the monitor subdirectory when the stanza is, in my opinion, quite explicit.

so /home/foo/logs/{a,b,c}/app/*.gmt.log would have no reason to look below, unless something.gmt.log was a subdirectory and not a file

I would have thought that 'monitor' wouldn't come into the picture unless I'd used '...' in one of the pathname elements.

Thanks again.

0 Karma