Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Blacklisting directory not working - inputs.conf

pkeller
Contributor
‎07-18-2015 08:27 AM

inputs.conf

[monitor:///home/foo/logs/*/app]
whitelist = \.gmt.log$
blacklist = monitor
disabled = false

Underneath /home/foo/logs/base/app there are files named foo.YYYYMMDD.gmt.log
There's also a subdirectory named 'monitor'
The app rotates files from the 'app' directory to the 'monitor' directory

But, when I run 'splunk list monitor I see

    /home/foo/logs/base/app
    /home/foo/logs/base/app/foo.20150716.gmt.log
    /home/foo/logs/base/app/foo.20150718.gmt.log
    /home/foo/logs/base/app/monitor
    /home/foo/logs/base/app/monitor/foo.20150710.gmt.log
    /home/foo/logs/base/app/monitor/foo.20150711.gmt.log

Shouldn't those bottom 3 lines be omitted from the output?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-18-2015 09:18 AM

It looks like the whitelist overrides the blacklist, which is just the opposite of what I would expect. Try this instead:

 [monitor:///home/foo/logs/*/app/*.gmt.log]
 blacklist = monitor

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-18-2015 09:18 AM

It looks like the whitelist overrides the blacklist, which is just the opposite of what I would expect. Try this instead:

 [monitor:///home/foo/logs/*/app/*.gmt.log]
 blacklist = monitor
Reply
Solved! Jump to solution

pkeller
Contributor
‎07-20-2015 12:45 PM

Thank you ... That definitely works ... My original monitor stanza had the exact syntax you specify ... (with no blacklist) ... What I found peculiar, is why splunkd would pursue even looking into the monitor subdirectory when the stanza is, in my opinion, quite explicit.

so /home/foo/logs/{a,b,c}/app/*.gmt.log would have no reason to look below, unless something.gmt.log was a subdirectory and not a file

I would have thought that 'monitor' wouldn't come into the picture unless I'd used '...' in one of the pathname elements.

Thanks again.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...