Getting Data In

Can I edit inputs.conf to initiate a global blacklist so it applies to all monitored data?

anaqvi
Explorer

How can i globally blacklist (.gz ) or rotational file logs (log.1, log.2, log.3 etc..) in the inputs.conf , so it applies to all monitors?

Please assist.

somesoni2
Revered Legend

There is a [default] available in inputs.conf where you can define your global attributes. These can be overridden at individual input level.

0 Karma

todd_r_martin21
Explorer

I am struggling to get a global blacklist to function. I read the documentation and have the following on my inputs.conf file. I am still getting .gz files located in subdirectories of most of my monitor paths. for example in path /syslogs/routers/cisco/ciscolog.gz

[default]
host = syslogserver

[blacklist://syslogs/*\.gz$]    ## should this be a Triple or double Whack?

[monitor://syslogs/routers]
    index = routers
    sourcetype = syslog
    source = //syslogs/routers

I also am noticing that a /// ( triple whack) and a // ( double whack) both are present in different monitor stanza's. both work !
for example:
[monitor://syslogs/routers]
and
[monitor:///syslogs/oss]

Thanks,
Todd

0 Karma

somesoni2
Revered Legend

Give this a try

[blacklist:/syslogs/.../*\.gz] 
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...