Solved: Re: How to blacklist inputs.conf linux var log?

mikefg · ‎11-09-2022

Having some trouble blacklisting a folder that has multiple dynamic subfolders and files. I want to blacklist everything for dir1 including files and any subfolders which are created dynamically. Splunk 8.x host is Linux.

I want to blacklist everything here /var/log/dir1

Example paths

/var/log/dir1/file1.log
/var/log/dir1/dir2/otherfile.log

Currently trying this syntax, but it's not working. I do have another blacklist item that seems to be working and it is blacklist2 which is why I'm numbering the blacklists.

blacklist1 = .*dir1.*
blacklist2 = otheritem

mikefg · ‎11-09-2022

I got it to work. Here's what's working for me.

blacklist = dir1|dir2|\.log$

View solution in original post

mikefg · ‎11-09-2022

I got it to work. Here's what's working for me.

blacklist = dir1|dir2|\.log$

SanjayReddy · ‎11-09-2022

Hi @mikefg
can you try follow

[blacklist:///var/log/dir1/.../*.log]

OR

[blacklist:///var/log/dir1/.../]

How to blacklist inputs.conf linux var log?

blacklist

inputs.conf

universal forwarder

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation