Getting Data In

Can I edit inputs.conf to initiate a global blacklist so it applies to all monitored data?

Explorer

How can i globally blacklist (.gz ) or rotational file logs (log.1, log.2, log.3 etc..) in the inputs.conf , so it applies to all monitors?

Please assist.

Revered Legend

There is a [default] available in inputs.conf where you can define your global attributes. These can be overridden at individual input level.

0 Karma

I am struggling to get a global blacklist to function. I read the documentation and have the following on my inputs.conf file. I am still getting .gz files located in subdirectories of most of my monitor paths. for example in path /syslogs/routers/cisco/ciscolog.gz

[default]
host = syslogserver

[blacklist://syslogs/*\.gz$]    ## should this be a Triple or double Whack?

[monitor://syslogs/routers]
    index = routers
    sourcetype = syslog
    source = //syslogs/routers

I also am noticing that a /// ( triple whack) and a // ( double whack) both are present in different monitor stanza's. both work !
for example:
[monitor://syslogs/routers]
and
[monitor:///syslogs/oss]

Thanks,
Todd

0 Karma

Revered Legend

Give this a try

[blacklist:/syslogs/.../*\.gz] 
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!