Solved: Re: How to blacklist inputs.conf linux var log?

mikefg · ‎11-09-2022

Having some trouble blacklisting a folder that has multiple dynamic subfolders and files. I want to blacklist everything for dir1 including files and any subfolders which are created dynamically. Splunk 8.x host is Linux.

I want to blacklist everything here /var/log/dir1

Example paths

/var/log/dir1/file1.log
/var/log/dir1/dir2/otherfile.log

Currently trying this syntax, but it's not working. I do have another blacklist item that seems to be working and it is blacklist2 which is why I'm numbering the blacklists.

blacklist1 = .*dir1.*
blacklist2 = otheritem

mikefg · ‎11-09-2022

I got it to work. Here's what's working for me.

blacklist = dir1|dir2|\.log$

View solution in original post

mikefg · ‎11-09-2022

I got it to work. Here's what's working for me.

blacklist = dir1|dir2|\.log$

SanjayReddy · ‎11-09-2022

Hi @mikefg
can you try follow

[blacklist:///var/log/dir1/.../*.log]

OR

[blacklist:///var/log/dir1/.../]

How to blacklist inputs.conf linux var log?

blacklist

inputs.conf

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation