Re: Can I edit inputs.conf to initiate a global bl...

anaqvi · ‎11-15-2016

How can i globally blacklist (.gz ) or rotational file logs (log.1, log.2, log.3 etc..) in the inputs.conf , so it applies to all monitors?

Please assist.

somesoni2 · ‎11-15-2016

There is a [default] available in inputs.conf where you can define your global attributes. These can be overridden at individual input level.

todd_r_martin21 · ‎02-13-2017

I am struggling to get a global blacklist to function. I read the documentation and have the following on my inputs.conf file. I am still getting .gz files located in subdirectories of most of my monitor paths. for example in path /syslogs/routers/cisco/ciscolog.gz

[default]
host = syslogserver

[blacklist://syslogs/*\.gz$]    ## should this be a Triple or double Whack?

[monitor://syslogs/routers]
    index = routers
    sourcetype = syslog
    source = //syslogs/routers

I also am noticing that a /// ( triple whack) and a // ( double whack) both are present in different monitor stanza's. both work !
for example:
[monitor://syslogs/routers]
and
[monitor:///syslogs/oss]

Thanks,
Todd

somesoni2 · ‎02-13-2017

Give this a try

[blacklist:/syslogs/.../*\.gz]

Can I edit inputs.conf to initiate a global blacklist so it applies to all monitored data?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!