Getting Data In

How Do I Blacklist a specific file.

englishjohn
New Member

I have a issue blacklisting a specific file "voipcall_wcas1.cdr.2016-10-12-17" the filename changes everyday as it follows the dates. It does not really have an extension. This part of the file name does not change "voipcall_wcas1.cdr."

Can somebody help me.

Thank you

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Edit the inputs.conf for the app you're working in, (SPLUNK-HOME/etc/apps/search/local/inputs.conf would be the path for the default search app)

Now to ignore the voipcall_wcas1.cdr files, you simply add a blacklist to the same input.conf,

[monitor:///directory/directory2/]
disabled = false
index = main
_blacklist = voipcall_wcas1.cdr*
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

bpitts2
Path Finder

As long as you don't want ANY of the "voipcall_wcas1.cdr." files you could just add "voipcall_wcas1.cdr.*" to the blacklist.

Apparently, I cant submit this as an answer because I have less than 40 rep points.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...