How come I can't get the Splunk blacklist subfolde... - Splunk Community

Getting Data In

hi,

I am trying to blacklist a subfolder in a particular directory.

The subfolder i am trying to blacklist is app-Status and app-data.

I have used the blacklist as mentioned below but it is not working. How to remove these two folders from logging data?

[monitor:///xxx/jboss/data/log/main/app*/log]
disabled=false
blacklist = ///xxx/jboss/data/log/main/(app-Status|app-data)/log
ignoreOlderThan = 24h
_TCP_ROUTING=xyz
sourcetype=abc
index=xxxxxx

Or just simply blacklist = (app-Status|app-data). The regex doesn't have to match the full path.

blacklist = /xxx/jboss/data/log/main/app-data/log/* | /xxx/jboss/data/log/main/app-Status/log/*

hi

it is not working. i also tried -

blacklist = ///xxx/jboss/data/log/main/app-data/log/*
blacklist = xxx/jboss/data/log/main/app-data/log/*

Did you try with one slash?
blacklist = /xxx/jboss/data/log/main/app-data/log/*

Hi,

i tried like the below syntax and it is working. Thanks for your input.
blacklist = //xxx/jboss/data/log/main/app-data/log/

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Thursday, July 9, 2026 | 11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...