Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Blacklisting directory not working - inputs.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputs.conf
[monitor:///home/foo/logs/*/app]
whitelist = \.gmt.log$
blacklist = monitor
disabled = false
Underneath /home/foo/logs/base/app there are files named foo.YYYYMMDD.gmt.log
There's also a subdirectory named 'monitor'
The app rotates files from the 'app' directory to the 'monitor' directory
But, when I run 'splunk list monitor I see
/home/foo/logs/base/app
/home/foo/logs/base/app/foo.20150716.gmt.log
/home/foo/logs/base/app/foo.20150718.gmt.log
/home/foo/logs/base/app/monitor
/home/foo/logs/base/app/monitor/foo.20150710.gmt.log
/home/foo/logs/base/app/monitor/foo.20150711.gmt.log
Shouldn't those bottom 3 lines be omitted from the output?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like the whitelist overrides the blacklist, which is just the opposite of what I would expect. Try this instead:
[monitor:///home/foo/logs/*/app/*.gmt.log]
blacklist = monitor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like the whitelist overrides the blacklist, which is just the opposite of what I would expect. Try this instead:
[monitor:///home/foo/logs/*/app/*.gmt.log]
blacklist = monitor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you ... That definitely works ... My original monitor stanza had the exact syntax you specify ... (with no blacklist) ... What I found peculiar, is why splunkd would pursue even looking into the monitor subdirectory when the stanza is, in my opinion, quite explicit.
so /home/foo/logs/{a,b,c}/app/*.gmt.log would have no reason to look below, unless something.gmt.log was a subdirectory and not a file
I would have thought that 'monitor' wouldn't come into the picture unless I'd used '...' in one of the pathname elements.
Thanks again.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
