How Do I Blacklist a specific file.

englishjohn · ‎10-18-2016

I have a issue blacklisting a specific file "voipcall_wcas1.cdr.2016-10-12-17" the filename changes everyday as it follows the dates. It does not really have an extension. This part of the file name does not change "voipcall_wcas1.cdr."

Can somebody help me.

Thank you

inventsekar · ‎10-18-2016

Edit the inputs.conf for the app you're working in, (SPLUNK-HOME/etc/apps/search/local/inputs.conf would be the path for the default search app)

Now to ignore the voipcall_wcas1.cdr files, you simply add a blacklist to the same input.conf,

[monitor:///directory/directory2/]
disabled = false
index = main
_blacklist = voipcall_wcas1.cdr*

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

bpitts2 · ‎10-18-2016

As long as you don't want ANY of the "voipcall_wcas1.cdr." files you could just add "voipcall_wcas1.cdr.*" to the blacklist.

Apparently, I cant submit this as an answer because I have less than 40 rep points.

How Do I Blacklist a specific file.

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

How Do I Blacklist a specific file.

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience