Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to blacklist specific hosts so Splunk will not index their IIS logs in our "iis" index?

rakeshcse2
New Member
‎09-02-2015 12:08 PM

I have an index called "iis".

How can I blacklist some specific hosts so that Splunk would not process iis logs for these hosts?
I did something like this in inputs.conf, but this is not working:

# IIS Logs
[monitor://S:\logs\W3SVC*\*.log]
sourcetype = iis
index = iis
ignoreOlderThan = 30d
disabled = false 
blacklist = Server1,server2
0 Karma
Reply

somesoni2
Revered Legend
‎09-02-2015 02:56 PM

Does each of your servers have Splunk forwarder installed and they have this monitor stanza to send the logs to your Indexer??

0 Karma
Reply

rakeshcse2
New Member
‎09-02-2015 03:30 PM

Yes, each of the hosts have the forwarder installed and they are managed by a central server.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-02-2015 02:36 PM

a blacklist is a regex, so you may want to do :

blacklist = (Server1|Server2)

beware this is also case sensitive.

Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...