Getting Data In

How come I can't get the Splunk blacklist subfolder to work?

keishamtcs
Explorer

hi,

I am trying to blacklist a subfolder in a particular directory.

The subfolder i am trying to blacklist is app-Status and app-data.

I have used the blacklist as mentioned below but it is not working. How to remove these two folders from logging data?

[monitor:///xxx/jboss/data/log/main/app*/log]
disabled=false
blacklist = ///xxx/jboss/data/log/main/(app-Status|app-data)/log
ignoreOlderThan = 24h
_TCP_ROUTING=xyz
sourcetype=abc
index=xxxxxx
0 Karma

FrankVl
Ultra Champion

Or just simply blacklist = (app-Status|app-data). The regex doesn't have to match the full path.

0 Karma

jbrocks
Communicator
blacklist = /xxx/jboss/data/log/main/app-data/log/* | /xxx/jboss/data/log/main/app-Status/log/*
0 Karma

keishamtcs
Explorer

hi

it is not working. i also tried -

blacklist = ///xxx/jboss/data/log/main/app-data/log/*
blacklist = xxx/jboss/data/log/main/app-data/log/*

0 Karma

jbrocks
Communicator

Did you try with one slash?
blacklist = /xxx/jboss/data/log/main/app-data/log/*

0 Karma

keishamtcs
Explorer

Hi,

i tried like the below syntax and it is working. Thanks for your input.
blacklist = //xxx/jboss/data/log/main/app-data/log/

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...