Getting Data In

How to blacklist specific hosts so Splunk will not index their IIS logs in our "iis" index?

rakeshcse2
New Member

I have an index called "iis".

How can I blacklist some specific hosts so that Splunk would not process iis logs for these hosts?
I did something like this in inputs.conf, but this is not working:

# IIS Logs
[monitor://S:\logs\W3SVC*\*.log]
sourcetype = iis
index = iis
ignoreOlderThan = 30d
disabled = false 
blacklist = Server1,server2
0 Karma

somesoni2
Revered Legend

Does each of your servers have Splunk forwarder installed and they have this monitor stanza to send the logs to your Indexer??

0 Karma

rakeshcse2
New Member

Yes, each of the hosts have the forwarder installed and they are managed by a central server.

0 Karma

yannK
Splunk Employee
Splunk Employee

a blacklist is a regex, so you may want to do :

blacklist = (Server1|Server2)

beware this is also case sensitive.

Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...