Getting Data In

Can I edit inputs.conf to initiate a global blacklist so it applies to all monitored data?

anaqvi
Explorer

How can i globally blacklist (.gz ) or rotational file logs (log.1, log.2, log.3 etc..) in the inputs.conf , so it applies to all monitors?

Please assist.

somesoni2
Revered Legend

There is a [default] available in inputs.conf where you can define your global attributes. These can be overridden at individual input level.

0 Karma

todd_r_martin21
Explorer

I am struggling to get a global blacklist to function. I read the documentation and have the following on my inputs.conf file. I am still getting .gz files located in subdirectories of most of my monitor paths. for example in path /syslogs/routers/cisco/ciscolog.gz

[default]
host = syslogserver

[blacklist://syslogs/*\.gz$]    ## should this be a Triple or double Whack?

[monitor://syslogs/routers]
    index = routers
    sourcetype = syslog
    source = //syslogs/routers

I also am noticing that a /// ( triple whack) and a // ( double whack) both are present in different monitor stanza's. both work !
for example:
[monitor://syslogs/routers]
and
[monitor:///syslogs/oss]

Thanks,
Todd

0 Karma

somesoni2
Revered Legend

Give this a try

[blacklist:/syslogs/.../*\.gz] 
0 Karma
Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...