I have an index called "iis".
How can I blacklist some specific hosts so that Splunk would not process iis logs for these hosts?
I did something like this in inputs.conf, but this is not working:
# IIS Logs [monitor://S:\logs\W3SVC*\*.log] sourcetype = iis index = iis ignoreOlderThan = 30d disabled = false blacklist = Server1,server2
a blacklist is a regex, so you may want to do :
blacklist = (Server1|Server2)
beware this is also case sensitive.
Does each of your servers have Splunk forwarder installed and they have this monitor stanza to send the logs to your Indexer??
Yes, each of the hosts have the forwarder installed and they are managed by a central server.